diff options
Diffstat (limited to 'src/vnet')
24 files changed, 1737 insertions, 163 deletions
diff --git a/src/vnet/sctp/sctp.c b/src/vnet/sctp/sctp.c index cc70f7ccd8d..df5d86094a5 100644 --- a/src/vnet/sctp/sctp.c +++ b/src/vnet/sctp/sctp.c @@ -905,6 +905,8 @@ const static transport_proto_vft_t sctp_proto = { .format_connection = format_sctp_session, .format_listener = format_sctp_listener_session, .format_half_open = format_sctp_half_open, + .tx_type = TRANSPORT_TX_DEQUEUE, + .service_type = TRANSPORT_SERVICE_VC, }; /* *INDENT ON* */ diff --git a/src/vnet/session-apps/echo_client.c b/src/vnet/session-apps/echo_client.c index 27e253a9235..7bf98470df0 100644 --- a/src/vnet/session-apps/echo_client.c +++ b/src/vnet/session-apps/echo_client.c @@ -426,7 +426,7 @@ static session_cb_vft_t echo_clients = { .session_connected_callback = echo_clients_session_connected_callback, .session_accept_callback = echo_clients_session_create_callback, .session_disconnect_callback = echo_clients_session_disconnect_callback, - .builtin_server_rx_callback = echo_clients_rx_callback, + .builtin_app_rx_callback = echo_clients_rx_callback, .add_segment_callback = echo_client_add_segment_callback }; /* *INDENT-ON* */ diff --git a/src/vnet/session-apps/echo_server.c b/src/vnet/session-apps/echo_server.c index 0d0350819c9..39d848f5d8c 100644 --- a/src/vnet/session-apps/echo_server.c +++ b/src/vnet/session-apps/echo_server.c @@ -245,7 +245,7 @@ static session_cb_vft_t echo_server_session_cb_vft = { .session_disconnect_callback = echo_server_session_disconnect_callback, .session_connected_callback = echo_server_session_connected_callback, .add_segment_callback = echo_server_add_segment_callback, - .builtin_server_rx_callback = echo_server_rx_callback, + .builtin_app_rx_callback = echo_server_rx_callback, .session_reset_callback = echo_server_session_reset_callback }; @@ -267,19 +267,21 @@ create_api_loopback (vlib_main_t * vm) static int echo_server_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) { + vnet_app_add_tls_cert_args_t _a_cert, *a_cert = &_a_cert; + vnet_app_add_tls_key_args_t _a_key, *a_key = &_a_key; echo_server_main_t *esm = &echo_server_main; - u64 options[APP_OPTIONS_N_OPTIONS]; vnet_app_attach_args_t _a, *a = &_a; + u64 options[APP_OPTIONS_N_OPTIONS]; u32 segment_size = 512 << 20; memset (a, 0, sizeof (*a)); memset (options, 0, sizeof (options)); if (esm->no_echo) - echo_server_session_cb_vft.builtin_server_rx_callback = + echo_server_session_cb_vft.builtin_app_rx_callback = echo_server_builtin_server_rx_callback_no_echo; else - echo_server_session_cb_vft.builtin_server_rx_callback = + echo_server_session_cb_vft.builtin_app_rx_callback = echo_server_rx_callback; if (esm->private_segment_size) @@ -310,6 +312,18 @@ echo_server_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) return -1; } esm->app_index = a->app_index; + + memset (a_cert, 0, sizeof (*a_cert)); + a_cert->app_index = a->app_index; + vec_validate (a_cert->cert, test_srv_crt_rsa_len); + clib_memcpy (a_cert->cert, test_srv_crt_rsa, test_srv_crt_rsa_len); + vnet_app_add_tls_cert (a_cert); + + memset (a_key, 0, sizeof (*a_key)); + a_key->app_index = a->app_index; + vec_validate (a_key->key, test_srv_key_rsa_len); + clib_memcpy (a_key->key, test_srv_key_rsa, test_srv_key_rsa_len); + vnet_app_add_tls_key (a_key); return 0; } diff --git a/src/vnet/session-apps/http_server.c b/src/vnet/session-apps/http_server.c index eeb755b0fc4..6a2e6cda1a2 100644 --- a/src/vnet/session-apps/http_server.c +++ b/src/vnet/session-apps/http_server.c @@ -53,6 +53,7 @@ typedef struct u32 prealloc_fifos; u32 private_segment_size; u32 fifo_size; + u8 *uri; vlib_main_t *vlib_main; } http_server_main_t; @@ -476,7 +477,7 @@ static session_cb_vft_t http_server_session_cb_vft = { .session_disconnect_callback = http_server_session_disconnect_callback, .session_connected_callback = http_server_session_connected_callback, .add_segment_callback = http_server_add_segment_callback, - .builtin_server_rx_callback = http_server_rx_callback, + .builtin_app_rx_callback = http_server_rx_callback, .session_reset_callback = http_server_session_reset_callback }; @@ -498,6 +499,8 @@ create_api_loopback (vlib_main_t * vm) static int server_attach () { + vnet_app_add_tls_cert_args_t _a_cert, *a_cert = &_a_cert; + vnet_app_add_tls_key_args_t _a_key, *a_key = &_a_key; http_server_main_t *hsm = &http_server_main; u64 options[APP_OPTIONS_N_OPTIONS]; vnet_app_attach_args_t _a, *a = &_a; @@ -526,6 +529,19 @@ server_attach () return -1; } hsm->app_index = a->app_index; + + memset (a_cert, 0, sizeof (*a_cert)); + a_cert->app_index = a->app_index; + vec_validate (a_cert->cert, test_srv_crt_rsa_len); + clib_memcpy (a_cert->cert, test_srv_crt_rsa, test_srv_crt_rsa_len); + vnet_app_add_tls_cert (a_cert); + + memset (a_key, 0, sizeof (*a_key)); + a_key->app_index = a->app_index; + vec_validate (a_key->key, test_srv_key_rsa_len); + clib_memcpy (a_key->key, test_srv_key_rsa, test_srv_key_rsa_len); + vnet_app_add_tls_key (a_key); + return 0; } @@ -537,6 +553,8 @@ http_server_listen () memset (a, 0, sizeof (*a)); a->app_index = hsm->app_index; a->uri = "tcp://0.0.0.0/80"; + if (hsm->uri) + a->uri = (char *) hsm->uri; return vnet_bind_uri (a); } @@ -599,6 +617,8 @@ http_server_create_command_fn (vlib_main_t * vm, } else if (unformat (input, "fifo-size %d", &hsm->fifo_size)) hsm->fifo_size <<= 10; + else if (unformat (input, "uri %s", &hsm->uri)) + ; else return clib_error_return (0, "unknown input `%U'", format_unformat_error, input); @@ -610,7 +630,7 @@ http_server_create_command_fn (vlib_main_t * vm, if (is_static) { - http_server_session_cb_vft.builtin_server_rx_callback = + http_server_session_cb_vft.builtin_app_rx_callback = http_server_rx_callback_static; html = format (0, html_header_static); static_http = format (0, http_response, vec_len (html), html); diff --git a/src/vnet/session-apps/proxy.c b/src/vnet/session-apps/proxy.c index 1cbacdbc894..af490177502 100644 --- a/src/vnet/session-apps/proxy.c +++ b/src/vnet/session-apps/proxy.c @@ -232,7 +232,7 @@ static session_cb_vft_t proxy_session_cb_vft = { .session_disconnect_callback = proxy_disconnect_callback, .session_connected_callback = proxy_connected_callback, .add_segment_callback = proxy_add_segment_callback, - .builtin_server_rx_callback = proxy_rx_callback, + .builtin_app_rx_callback = proxy_rx_callback, .session_reset_callback = proxy_reset_callback }; @@ -348,7 +348,7 @@ static session_cb_vft_t active_open_clients = { .session_connected_callback = active_open_connected_callback, .session_accept_callback = active_open_create_callback, .session_disconnect_callback = active_open_disconnect_callback, - .builtin_server_rx_callback = active_open_rx_callback + .builtin_app_rx_callback = active_open_rx_callback }; /* *INDENT-ON* */ diff --git a/src/vnet/session-apps/tls.c b/src/vnet/session-apps/tls.c new file mode 100644 index 00000000000..a747990d200 --- /dev/null +++ b/src/vnet/session-apps/tls.c @@ -0,0 +1,1161 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <vnet/session/application_interface.h> +#include <vppinfra/lock.h> +#include <mbedtls/ssl.h> +#include <mbedtls/certs.h> +#include <mbedtls/entropy.h> +#include <mbedtls/ctr_drbg.h> +#include <mbedtls/timing.h> +#include <mbedtls/debug.h> + +#define TLS_DEBUG (0) +#define TLS_DEBUG_LEVEL_CLIENT (0) +#define TLS_DEBUG_LEVEL_SERVER (0) +#define TLS_CHUNK_SIZE (1 << 14) +#define TLS_USE_OUR_MEM_FUNCS (0) + +#if TLS_DEBUG +#define TLS_DBG(_lvl, _fmt, _args...) \ + if (_lvl <= TLS_DEBUG) \ + clib_warning (_fmt, ##_args) +#else +#define TLS_DBG(_fmt, _args...) +#endif + +#if TLS_USE_OUR_MEM_FUNCS +#include <mbedtls/platform.h> + +void * +mbedtls_calloc_fn (size_t n, size_t size) +{ + void *ptr; + ptr = clib_mem_alloc (n * size); + memset (ptr, 0, sizeof (*ptr)); + return ptr; +} + +void +mbedtls_free_fn (void *ptr) +{ + if (ptr) + clib_mem_free (ptr); +} +#endif + +/* *INDENT-OFF* */ +typedef CLIB_PACKED (struct tls_cxt_id_ +{ + u32 parent_app_index; + session_handle_t app_session_handle; + session_handle_t tls_session_handle; + u32 listener_ctx_index; + u8 tcp_is_ip4; +}) tls_ctx_id_t; +/* *INDENT-ON* */ + +typedef struct tls_ctx_ +{ + union + { + transport_connection_t connection; + tls_ctx_id_t c_tls_ctx_id; + }; +#define parent_app_index c_tls_ctx_id.parent_app_index +#define app_session_handle c_tls_ctx_id.app_session_handle +#define tls_session_handle c_tls_ctx_id.tls_session_handle +#define listener_ctx_index c_tls_ctx_id.listener_ctx_index +#define tcp_is_ip4 c_tls_ctx_id.tcp_is_ip4 + + /* Temporary storage for session open opaque. Overwritten once + * underlying tcp connection is established */ +#define parent_app_api_context c_s_index + + u8 is_passive_close; + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_x509_crt srvcert; + mbedtls_pk_context pkey; +} tls_ctx_t; + +typedef struct tls_main_ +{ + u32 app_index; + tls_ctx_t **ctx_pool; + mbedtls_ctr_drbg_context *ctr_drbgs; + mbedtls_entropy_context *entropy_pools; + tls_ctx_t *listener_ctx_pool; + tls_ctx_t *half_open_ctx_pool; + clib_rwlock_t half_open_rwlock; + mbedtls_x509_crt cacert; +} tls_main_t; + +static tls_main_t tls_main; + +void tls_disconnect (u32 ctx_index, u32 thread_index); + +static inline int +tls_add_vpp_q_evt (svm_fifo_t * f, u8 evt_type) +{ + session_fifo_event_t evt; + svm_queue_t *q; + + if (svm_fifo_set_event (f)) + { + evt.fifo = f; + evt.event_type = evt_type; + + q = session_manager_get_vpp_event_queue (f->master_thread_index); + if (PREDICT_TRUE (q->cursize < q->maxsize)) + { + svm_queue_add (q, (u8 *) & evt, 0 /* do wait for mutex */ ); + } + else + { + clib_warning ("vpp's evt q full"); + return -1; + } + } + return 0; +} + +static inline int +tls_add_app_q_evt (application_t * app, stream_session_t * app_session) +{ + session_fifo_event_t evt; + svm_queue_t *q; + + if (PREDICT_FALSE (app_session->session_state == SESSION_STATE_CLOSED)) + { + /* Session is closed so app will never clean up. Flush rx fifo */ + u32 to_dequeue = svm_fifo_max_dequeue (app_session->server_rx_fifo); + if (to_dequeue) + svm_fifo_dequeue_drop (app_session->server_rx_fifo, to_dequeue); + return 0; + } + + if (app->cb_fns.builtin_app_rx_callback) + return app->cb_fns.builtin_app_rx_callback (app_session); + + if (svm_fifo_set_event (app_session->server_rx_fifo)) + { + evt.fifo = app_session->server_rx_fifo; + evt.event_type = FIFO_EVENT_APP_RX; + q = app->event_queue; + + if (PREDICT_TRUE (q->cursize < q->maxsize)) + { + svm_queue_add (q, (u8 *) & evt, 0 /* do wait for mutex */ ); + } + else + { + clib_warning ("app evt q full"); + return -1; + } + } + return 0; +} + +u32 +tls_ctx_alloc (void) +{ + u8 thread_index = vlib_get_thread_index (); + tls_main_t *tm = &tls_main; + tls_ctx_t *ctx; + + pool_get (tm->ctx_pool[thread_index], ctx); + memset (ctx, 0, sizeof (*ctx)); + ctx->c_thread_index = thread_index; + return ctx - tm->ctx_pool[thread_index]; +} + +void +tls_ctx_free (tls_ctx_t * ctx) +{ + pool_put (tls_main.ctx_pool[vlib_get_thread_index ()], ctx); +} + +tls_ctx_t * +tls_ctx_get (u32 ctx_index) +{ + return pool_elt_at_index (tls_main.ctx_pool[vlib_get_thread_index ()], + ctx_index); +} + +tls_ctx_t * +tls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) +{ + return pool_elt_at_index (tls_main.ctx_pool[thread_index], ctx_index); +} + +u32 +tls_ctx_index (tls_ctx_t * ctx) +{ + return (ctx - tls_main.ctx_pool[vlib_get_thread_index ()]); +} + +u32 +tls_listener_ctx_alloc (void) +{ + tls_main_t *tm = &tls_main; + tls_ctx_t *ctx; + + pool_get (tm->listener_ctx_pool, ctx); + memset (ctx, 0, sizeof (*ctx)); + return ctx - tm->listener_ctx_pool; +} + +void +tls_ctx_listener_free (tls_ctx_t * ctx) +{ + pool_put (tls_main.half_open_ctx_pool, ctx); +} + +tls_ctx_t * +tls_listener_ctx_get (u32 ctx_index) +{ + return pool_elt_at_index (tls_main.listener_ctx_pool, ctx_index); +} + +u32 +tls_listener_ctx_index (tls_ctx_t * ctx) +{ + return (ctx - tls_main.listener_ctx_pool); +} + +u32 +tls_ctx_half_open_alloc (void) +{ + tls_main_t *tm = &tls_main; + u8 will_expand = 0; + tls_ctx_t *ctx; + u32 ctx_index; + + pool_get_aligned_will_expand (tm->half_open_ctx_pool, will_expand, 0); + if (PREDICT_FALSE (will_expand && vlib_num_workers ())) + { + clib_rwlock_writer_lock (&tm->half_open_rwlock); + pool_get (tm->half_open_ctx_pool, ctx); + memset (ctx, 0, sizeof (*ctx)); + ctx_index = ctx - tm->half_open_ctx_pool; + clib_rwlock_writer_unlock (&tm->half_open_rwlock); + } + else + { + pool_get (tm->half_open_ctx_pool, ctx); + memset (ctx, 0, sizeof (*ctx)); + ctx_index = ctx - tm->half_open_ctx_pool; + } + return ctx_index; +} + +void +tls_ctx_half_open_free (u32 ho_index) +{ + tls_main_t *tm = &tls_main; + clib_rwlock_writer_lock (&tm->half_open_rwlock); + pool_put_index (tls_main.half_open_ctx_pool, ho_index); + clib_rwlock_writer_unlock (&tm->half_open_rwlock); +} + +tls_ctx_t * +tls_ctx_half_open_get (u32 ctx_index) +{ + tls_main_t *tm = &tls_main; + clib_rwlock_reader_lock (&tm->half_open_rwlock); + return pool_elt_at_index (tm->half_open_ctx_pool, ctx_index); +} + +void +tls_ctx_half_open_reader_unlock () +{ + clib_rwlock_reader_unlock (&tls_main.half_open_rwlock); +} + +u32 +tls_ctx_half_open_index (tls_ctx_t * ctx) +{ + return (ctx - tls_main.half_open_ctx_pool); +} + +static int +tls_init_ctr_drbgs_and_entropy (u32 num_threads) +{ + tls_main_t *tm = &tls_main; + int i; + + vec_validate (tm->ctr_drbgs, num_threads - 1); + vec_validate (tm->entropy_pools, num_threads - 1); + for (i = 0; i < num_threads; i++) + tls_main.ctr_drbgs[i].f_entropy = 0; + + return 0; +} + +static int +tls_init_ctr_seed_drbgs (void) +{ + u32 thread_index = vlib_get_thread_index (); + tls_main_t *tm = &tls_main; + u8 *pers; + int rv; + pers = format (0, "vpp thread %u", thread_index); + + mbedtls_entropy_init (&tm->entropy_pools[thread_index]); + mbedtls_ctr_drbg_init (&tls_main.ctr_drbgs[thread_index]); + if ((rv = mbedtls_ctr_drbg_seed (&tm->ctr_drbgs[thread_index], + mbedtls_entropy_func, + &tm->entropy_pools[thread_index], + (const unsigned char *) pers, + vec_len (pers))) != 0) + { + vec_free (pers); + TLS_DBG (1, " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", rv); + return -1; + } + vec_free (pers); + return 0; +} + +mbedtls_ctr_drbg_context * +tls_get_ctr_drbg () +{ + u8 thread_index = vlib_get_thread_index (); + if (PREDICT_FALSE (!tls_main.ctr_drbgs[thread_index].f_entropy)) + tls_init_ctr_seed_drbgs (); + return &tls_main.ctr_drbgs[thread_index]; +} + +static int +tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len) +{ + stream_session_t *tls_session; + uword ctx_index; + tls_ctx_t *ctx; + int rv; + + ctx_index = pointer_to_uword (ctx_indexp); + ctx = tls_ctx_get (ctx_index); + tls_session = session_get_from_handle (ctx->tls_session_handle); + rv = svm_fifo_enqueue_nowait (tls_session->server_tx_fifo, len, buf); + if (rv < 0) + return MBEDTLS_ERR_SSL_WANT_WRITE; + tls_add_vpp_q_evt (tls_session->server_tx_fifo, FIFO_EVENT_APP_TX); + return rv; +} + +static int +tls_net_recv (void *ctx_indexp, unsigned char *buf, size_t len) +{ + stream_session_t *tls_session; + uword ctx_index; + tls_ctx_t *ctx; + int rv; + + ctx_index = pointer_to_uword (ctx_indexp); + ctx = tls_ctx_get (ctx_index); + tls_session = session_get_from_handle (ctx->tls_session_handle); + rv = svm_fifo_dequeue_nowait (tls_session->server_rx_fifo, len, buf); + return (rv < 0) ? 0 : rv; +} + +static void +mbedtls_debug (void *ctx, int level, const char *file, int line, + const char *str) +{ + ((void) level); + fprintf ((FILE *) ctx, "%s:%04d: %s", file, line, str); + fflush ((FILE *) ctx); +} + +static int +tls_ctx_init_client (tls_ctx_t * ctx) +{ + tls_main_t *tm = &tls_main; + void *ctx_ptr; + int rv; + + /* + * 1. Setup SSL + */ + mbedtls_ssl_init (&ctx->ssl); + mbedtls_ssl_config_init (&ctx->conf); + if ((rv = mbedtls_ssl_config_defaults (&ctx->conf, MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT)) != 0) + { + TLS_DBG (1, "failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", + rv); + return -1; + } + + mbedtls_ssl_conf_authmode (&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_ca_chain (&ctx->conf, &tm->cacert, NULL); + mbedtls_ssl_conf_rng (&ctx->conf, mbedtls_ctr_drbg_random, + tls_get_ctr_drbg ()); + mbedtls_ssl_conf_dbg (&ctx->conf, mbedtls_debug, stdout); + + if ((rv = mbedtls_ssl_setup (&ctx->ssl, &ctx->conf)) != 0) + { + TLS_DBG (1, "failed\n ! mbedtls_ssl_setup returned %d\n", rv); + return -1; + } + + if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl, "SERVER NAME")) != 0) + { + TLS_DBG (1, "failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv); + return -1; + } + + ctx_ptr = uword_to_pointer (tls_ctx_index (ctx), void *); + mbedtls_ssl_set_bio (&ctx->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL); + + mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT); + + /* + * 2. Do the first 2 steps in the handshake. + */ + TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, + tls_ctx_index (ctx)); + while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) + { + rv = mbedtls_ssl_handshake_step (&ctx->ssl); + if (rv != 0) + break; + } + TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index, + tls_ctx_index (ctx), ctx->ssl.state); + return 0; +} + +static int +tls_ctx_init_server (tls_ctx_t * ctx) +{ + application_t *app; + void *ctx_ptr; + int rv; + + mbedtls_ssl_init (&ctx->ssl); + mbedtls_ssl_config_init (&ctx->conf); + mbedtls_x509_crt_init (&ctx->srvcert); + mbedtls_pk_init (&ctx->pkey); + + /* + * 1. Cert + */ + app = application_get (ctx->parent_app_index); + if (!app->tls_cert || !app->tls_key) + { + TLS_DBG (1, " failed\n ! tls cert and/or key not configured %d", + ctx->parent_app_index); + return -1; + } + + rv = mbedtls_x509_crt_parse (&ctx->srvcert, + (const unsigned char *) app->tls_cert, + mbedtls_test_srv_crt_len); + if (rv != 0) + { + TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv); + goto exit; + } + + /* TODO clone CA */ + rv = mbedtls_x509_crt_parse (&ctx->srvcert, + (const unsigned char *) mbedtls_test_cas_pem, + mbedtls_test_cas_pem_len); + if (rv != 0) + { + TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv); + goto exit; + } + + rv = mbedtls_pk_parse_key (&ctx->pkey, + (const unsigned char *) app->tls_key, + mbedtls_test_srv_key_len, NULL, 0); + if (rv != 0) + { + TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv); + goto exit; + } + + /* + * 2. SSL context config + */ + if ((rv = mbedtls_ssl_config_defaults (&ctx->conf, MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT)) != 0) + { + TLS_DBG (1, " failed\n ! mbedtls_ssl_config_defaults returned %d", rv); + goto exit; + } + + mbedtls_ssl_conf_rng (&ctx->conf, mbedtls_ctr_drbg_random, + tls_get_ctr_drbg ()); + mbedtls_ssl_conf_dbg (&ctx->conf, mbedtls_debug, stdout); + + /* TODO CACHE + mbedtls_ssl_conf_session_cache( &ctx->conf, &cache, + mbedtls_ssl_cache_get, + mbedtls_ssl_cache_set ); + */ + + mbedtls_ssl_conf_ca_chain (&ctx->conf, ctx->srvcert.next, NULL); + if ((rv = mbedtls_ssl_conf_own_cert (&ctx->conf, &ctx->srvcert, &ctx->pkey)) + != 0) + { + TLS_DBG (1, " failed\n ! mbedtls_ssl_conf_own_cert returned %d", rv); + goto exit; + } + + if ((rv = mbedtls_ssl_setup (&ctx->ssl, &ctx->conf)) != 0) + { + TLS_DBG (1, " failed\n ! mbedtls_ssl_setup returned %d", rv); + goto exit; + } + + mbedtls_ssl_session_reset (&ctx->ssl); + ctx_ptr = uword_to_pointer (tls_ctx_index (ctx), void *); + mbedtls_ssl_set_bio (&ctx->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL); + + mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_SERVER); + + /* + * 3. Start handshake state machine + */ + TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, + tls_ctx_index (ctx)); + while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) + { + rv = mbedtls_ssl_handshake_step (&ctx->ssl); + if (rv != 0) + break; + } + + TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index, + tls_ctx_index (ctx), ctx->ssl.state); + return 0; + +exit: + return -1; +} + +static int +tls_notify_app_accept (tls_ctx_t * ctx) +{ + stream_session_t *app_listener, *app_session; + segment_manager_t *sm; + application_t *app; + tls_ctx_t *lctx; + int rv; + + app = application_get (ctx->parent_app_index); + lctx = tls_listener_ctx_get (ctx->listener_ctx_index); + app_listener = listen_session_get_from_handle (lctx->app_session_handle); + sm = application_get_listen_segment_manager (app, app_listener); + + app_session = session_alloc (vlib_get_thread_index ()); + app_session->app_index = ctx->parent_app_index; + app_session->connection_index = tls_ctx_index (ctx); + app_session->session_type = app_listener->session_type; + app_session->listener_index = app_listener->session_index; + if ((rv = session_alloc_fifos (sm, app_session))) + { + TLS_DBG (1, "failed to allocate fifos"); + return rv; + } + ctx->c_s_index = app_session->session_index; + ctx->c_c_index = tls_ctx_index (ctx); + ctx->app_session_handle = session_handle (app_session); + return app->cb_fns.session_accept_callback (app_session); +} + +static int +tls_notify_app_connected (tls_ctx_t * ctx) +{ + int (*cb_fn) (u32, u32, stream_session_t *, u8); + stream_session_t *app_session; + segment_manager_t *sm; + application_t *app; + + app = application_get (ctx->parent_app_index); + cb_fn = app->cb_fns.session_connected_callback; + + sm = application_get_connect_segment_manager (app); + app_session = session_alloc (vlib_get_thread_index ()); + app_session->app_index = ctx->parent_app_index; + app_session->connection_index = tls_ctx_index (ctx); + app_session->session_type = + session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); + if (session_alloc_fifos (sm, app_session)) + goto failed; + + ctx->app_session_handle = session_handle (app_session); + ctx->c_s_index = app_session->session_index; + ctx->c_c_index = tls_ctx_index (ctx); + app_session->session_state = SESSION_STATE_READY; + if (cb_fn (ctx->parent_app_index, ctx->parent_app_api_context, + app_session, 0 /* not failed */ )) + { + TLS_DBG (1, "failed to notify app"); + tls_disconnect (tls_ctx_index (ctx), vlib_get_thread_index ()); + } + + return 0; + +failed: + return cb_fn (ctx->parent_app_index, ctx->parent_app_api_context, 0, + 1 /* failed */ ); +} + +static int +tls_handshake_rx (tls_ctx_t * ctx) +{ + u32 flags; + int rv; + while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) + { + rv = mbedtls_ssl_handshake_step (&ctx->ssl); + if (rv != 0) + break; + } + TLS_DBG (2, "tls state for %u is %u", tls_ctx_index (ctx), ctx->ssl.state); + + if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) + return 0; + + /* + * Handshake complete + */ + if (ctx->ssl.conf->endpoint == MBEDTLS_SSL_IS_CLIENT) + { + /* + * Verify server certificate + */ + if ((flags = mbedtls_ssl_get_verify_result (&ctx->ssl)) != 0) + { + char buf[512]; + TLS_DBG (1, " failed\n"); + mbedtls_x509_crt_verify_info (buf, sizeof (buf), " ! ", flags); + TLS_DBG (1, "%s\n", buf); + + /* For testing purposes not enforcing this */ + /* tls_disconnect (tls_ctx_index (ctx), vlib_get_thread_index ()); + return -1; + */ + } + tls_notify_app_connected (ctx); + } + else + { + tls_notify_app_accept (ctx); + } + + TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x", + tls_ctx_index (ctx), ctx->ssl.session->ciphersuite); + return 0; +} + +void +tls_session_reset_callback (stream_session_t * s) +{ + clib_warning ("called..."); +} + +int +tls_add_segment_callback (u32 client_index, const ssvm_private_t * fs) +{ + /* No-op for builtin */ + return 0; +} + +int +tls_del_segment_callback (u32 client_index, const ssvm_private_t * fs) +{ + return 0; +} + +void +tls_session_disconnect_callback (stream_session_t * tls_session) +{ + stream_session_t *app_session; + tls_ctx_t *ctx; + application_t *app; + + ctx = tls_ctx_get (tls_session->opaque); + if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) + { + stream_session_disconnect (tls_session); + return; + } + ctx->is_passive_close = 1; + app = application_get (ctx->parent_app_index); + app_session = session_get_from_handle (ctx->app_session_handle); + app->cb_fns.session_disconnect_callback (app_session); +} + +int +tls_session_accept_callback (stream_session_t * tls_session) +{ + stream_session_t *tls_listener; + tls_ctx_t *lctx, *ctx; + u32 ctx_index; + + tls_listener = listen_session_get (tls_session->session_type, + tls_session->listener_index); + lctx = tls_listener_ctx_get (tls_listener->opaque); + ctx_index = tls_ctx_alloc (); + ctx = tls_ctx_get (ctx_index); + memcpy (ctx, lctx, sizeof (*lctx)); + ctx->c_thread_index = vlib_get_thread_index (); + tls_session->session_state = SESSION_STATE_READY; + tls_session->opaque = ctx_index; + ctx->tls_session_handle = session_handle (tls_session); + ctx->listener_ctx_index = tls_listener->opaque; + + TLS_DBG (1, "Accept on listener %u new connection [%u]%u", + tls_listener->opaque, vlib_get_thread_index (), ctx_index); + + return tls_ctx_init_server (ctx); +} + +int +tls_app_tx_callback (stream_session_t * app_session) +{ + stream_session_t *tls_session; + tls_ctx_t *ctx; + static u8 *tmp_buf; + u32 enq_max, deq_max, deq_now; + int wrote; + + ctx = tls_ctx_get (app_session->connection_index); + if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + + deq_max = svm_fifo_max_dequeue (app_session->server_tx_fifo); + if (!deq_max) + return 0; + + tls_session = session_get_from_handle (ctx->tls_session_handle); + enq_max = svm_fifo_max_enqueue (tls_session->server_tx_fifo); + deq_now = clib_min (deq_max, TLS_CHUNK_SIZE); + + if (PREDICT_FALSE (enq_max == 0)) + { + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + return 0; + } + + vec_validate (tmp_buf, deq_now); + svm_fifo_peek (app_session->server_tx_fifo, 0, deq_now, tmp_buf); + wrote = mbedtls_ssl_write (&ctx->ssl, tmp_buf, deq_now); + if (wrote <= 0) + { + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + return 0; + } + + svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote); + vec_reset_length (tmp_buf); + + tls_add_vpp_q_evt (tls_session->server_tx_fifo, FIFO_EVENT_APP_TX); + + if (deq_now < deq_max) + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + + return 0; +} + +int +tls_app_rx_callback (stream_session_t * tls_session) +{ + stream_session_t *app_session; + u32 deq_max, enq_max, enq_now; + application_t *app; + static u8 *tmp_buf; + tls_ctx_t *ctx; + int read, enq; + + ctx = tls_ctx_get (tls_session->opaque); + if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) + return tls_handshake_rx (ctx); + + deq_max = svm_fifo_max_dequeue (tls_session->server_rx_fifo); + if (!deq_max) + return 0; + + app_session = session_get_from_handle (ctx->app_session_handle); + enq_max = svm_fifo_max_enqueue (app_session->server_rx_fifo); + enq_now = clib_min (enq_max, TLS_CHUNK_SIZE); + + if (PREDICT_FALSE (enq_now == 0)) + { + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + return 0; + } + + vec_validate (tmp_buf, enq_now); + read = mbedtls_ssl_read (&ctx->ssl, tmp_buf, enq_now); + if (read <= 0) + { + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + return 0; + } + + enq = svm_fifo_enqueue_nowait (app_session->server_rx_fifo, read, tmp_buf); + ASSERT (enq == read); + vec_reset_length (tmp_buf); + + if (svm_fifo_max_dequeue (tls_session->server_rx_fifo)) + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + + app = application_get_if_valid (app_session->app_index); + return tls_add_app_q_evt (app, app_session); +} + +int +tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, + stream_session_t * tls_session, u8 is_fail) +{ + int (*cb_fn) (u32, u32, stream_session_t *, u8); + application_t *app; + tls_ctx_t *ho_ctx, *ctx; + u32 ctx_index; + + ho_ctx = tls_ctx_half_open_get (ho_ctx_index); + app = application_get (ho_ctx->parent_app_index); + cb_fn = app->cb_fns.session_connected_callback; + + if (is_fail) + goto failed; + + ctx_index = tls_ctx_alloc (); + ctx = tls_ctx_get (ctx_index); + clib_memcpy (ctx, ho_ctx, sizeof (*ctx)); + ctx->c_thread_index = vlib_get_thread_index (); + tls_ctx_half_open_reader_unlock (); + tls_ctx_half_open_free (ho_ctx_index); + + TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%u", + ho_ctx_index, is_fail, vlib_get_thread_index (), + (ctx) ? ctx_index : ~0); + + ctx->tls_session_handle = session_handle (tls_session); + tls_session->opaque = ctx_index; + tls_session->session_state = SESSION_STATE_READY; + + return tls_ctx_init_client (ctx); + +failed: + tls_ctx_half_open_reader_unlock (); + tls_ctx_half_open_free (ho_ctx_index); + return cb_fn (ho_ctx->parent_app_index, ho_ctx->c_s_index, 0, + 1 /* failed */ ); +} + +/* *INDENT-OFF* */ +static session_cb_vft_t tls_app_cb_vft = { + .session_accept_callback = tls_session_accept_callback, + .session_disconnect_callback = tls_session_disconnect_callback, + .session_connected_callback = tls_session_connected_callback, + .session_reset_callback = tls_session_reset_callback, + .add_segment_callback = tls_add_segment_callback, + .del_segment_callback = tls_del_segment_callback, + .builtin_app_rx_callback = tls_app_rx_callback, + .builtin_app_tx_callback = tls_app_tx_callback, +}; +/* *INDENT-ON* */ + +int +tls_connect (transport_endpoint_t * tep) +{ + session_endpoint_extended_t *sep; + session_endpoint_t tls_sep; + tls_main_t *tm = &tls_main; + application_t *app; + tls_ctx_t *ctx; + u32 ctx_index; + int rv; + + sep = (session_endpoint_extended_t *) tep; + + ctx_index = tls_ctx_half_open_alloc (); + ctx = tls_ctx_half_open_get (ctx_index); + ctx->parent_app_index = sep->app_index; + ctx->parent_app_api_context = sep->opaque; + ctx->tcp_is_ip4 = sep->is_ip4; + tls_ctx_half_open_reader_unlock (); + + app = application_get (sep->app_index); + application_alloc_connects_segment_manager (app); + + clib_memcpy (&tls_sep, sep, sizeof (tls_sep)); + tls_sep.transport_proto = TRANSPORT_PROTO_TCP; + if ((rv = application_connect (tm->app_index, ctx_index, &tls_sep))) + return rv; + + TLS_DBG (1, "New connect request %u", ctx_index); + return 0; +} + +void +tls_disconnect (u32 ctx_index, u32 thread_index) +{ + stream_session_t *tls_session, *app_session; + tls_ctx_t *ctx; + + TLS_DBG (1, "Disconnecting %u", ctx_index); + + ctx = tls_ctx_get (ctx_index); + if (ctx->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER && !ctx->is_passive_close) + mbedtls_ssl_close_notify (&ctx->ssl); + + tls_session = session_get_from_handle (ctx->tls_session_handle); + stream_session_disconnect (tls_session); + + app_session = session_get_from_handle_if_valid (ctx->app_session_handle); + if (app_session) + { + segment_manager_dealloc_fifos (app_session->svm_segment_index, + app_session->server_rx_fifo, + app_session->server_tx_fifo); + session_free (app_session); + } + tls_ctx_free (ctx); +} + +u32 +tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) +{ + tls_main_t *tm = &tls_main; + application_t *tls_app; + session_handle_t tls_handle; + session_endpoint_extended_t *sep; + stream_session_t *tls_listener; + tls_ctx_t *lctx; + u32 lctx_index; + session_type_t st; + stream_session_t *app_listener; + + sep = (session_endpoint_extended_t *) tep; + lctx_index = tls_listener_ctx_alloc (); + lctx = tls_listener_ctx_get (lctx_index); + st = session_type_from_proto_and_ip (sep->transport_proto, sep->is_ip4); + app_listener = listen_session_get (st, app_listener_index); + + tls_app = application_get (tm->app_index); + sep->transport_proto = TRANSPORT_PROTO_TCP; + if (application_start_listen (tls_app, (session_endpoint_t *) sep, + &tls_handle)) + return ~0; + + tls_listener = listen_session_get_from_handle (tls_handle); + tls_listener->opaque = lctx_index; + lctx->parent_app_index = sep->app_index; + lctx->tls_session_handle = tls_handle; + lctx->app_session_handle = listen_session_get_handle (app_listener); + lctx->tcp_is_ip4 = sep->is_ip4; + return lctx_index; +} + +u32 +tls_stop_listen (u32 listener_index) +{ + clib_warning ("TBD"); + return 0; +} + +transport_connection_t * +tls_listener_get (u32 listener_index) +{ + tls_ctx_t *ctx; + ctx = tls_listener_ctx_get (listener_index); + return &ctx->connection; +} + +u8 * +format_tls_ctx (u8 * s, va_list * args) +{ + tls_ctx_t *ctx = va_arg (*args, tls_ctx_t *); + u32 thread_index = va_arg (*args, u32); + u32 child_si, child_ti; + + session_parse_handle (ctx->tls_session_handle, &child_si, &child_ti); + if (thread_index != child_ti) + clib_warning ("app and tls sessions are on different threads!"); + + s = + format (s, "[#%d][TLS] app %u child %u", child_ti, ctx->parent_app_index, + child_si); + return s; +} + +u8 * +format_tls_connection (u8 * s, va_list * args) +{ + u32 ctx_index = va_arg (*args, u32); + u32 thread_index = va_arg (*args, u32); + u32 verbose = va_arg (*args, u32); + tls_ctx_t *ctx; + + ctx = tls_ctx_get_w_thread (ctx_index, thread_index); + if (!ctx) + return s; + + s = format (s, "%-50U", format_tls_ctx, ctx, thread_index); + if (verbose) + { + s = format (s, "%-15s", "state"); + if (verbose > 1) + s = format (s, "\n"); + } + return s; +} + +u8 * +format_tls_listener (u8 * s, va_list * args) +{ + u32 tc_index = va_arg (*args, u32); + tls_ctx_t *ctx = tls_listener_ctx_get (tc_index); + u32 listener_index, type; + + listen_session_parse_handle (ctx->tls_session_handle, &type, + &listener_index); + return format (s, "[TLS] listener app %u child %u", ctx->parent_app_index, + listener_index); +} + +u8 * +format_tls_half_open (u8 * s, va_list * args) +{ + u32 tc_index = va_arg (*args, u32); + tls_ctx_t *ctx = tls_ctx_half_open_get (tc_index); + s = format (s, "[TLS] half-open app %u", ctx->parent_app_index); + tls_ctx_half_open_reader_unlock (); + return s; +} + +/* *INDENT-OFF* */ +const static transport_proto_vft_t tls_proto = { + .open = tls_connect, + .close = tls_disconnect, + .bind = tls_start_listen, + .get_listener = tls_listener_get, + .unbind = tls_stop_listen, + .tx_type = TRANSPORT_TX_INTERNAL, + .service_type = TRANSPORT_SERVICE_APP, + .format_connection = format_tls_connection, + .format_half_open = format_tls_half_open, + .format_listener = format_tls_listener, +}; +/* *INDENT-ON* */ + +int +tls_init_mem (void) +{ +#if TLS_USE_OUR_MEM_FUNCS + mbedtls_platform_set_calloc_free (mbedtls_calloc_fn, mbedtls_free_fn); +#endif + return 0; +} + +int +tls_init_ca_chain (void) +{ + tls_main_t *tm = &tls_main; + int rv; + + /* TODO config */ + mbedtls_x509_crt_init (&tm->cacert); + rv = mbedtls_x509_crt_parse (&tm->cacert, + (const unsigned char *) mbedtls_test_cas_pem, + mbedtls_test_cas_pem_len); + if (rv < 0) + { + clib_warning ("mbedtls_x509_crt_parse returned -0x%x", -rv); + return -1; + } + return 0; +} + +clib_error_t * +tls_init (vlib_main_t * vm) +{ + vlib_thread_main_t *vtm = vlib_get_thread_main (); + u32 fifo_size = 64 << 10, num_threads; + vnet_app_attach_args_t _a, *a = &_a; + u64 options[APP_OPTIONS_N_OPTIONS]; + u32 segment_size = 512 << 20; + tls_main_t *tm = &tls_main; + + num_threads = 1 /* main thread */ + vtm->n_threads; + + if (tls_init_mem ()) + { + clib_warning ("failed to initialize mem"); + return clib_error_return (0, "failed to initalize mem"); + } + if (tls_init_ca_chain ()) + { + clib_warning ("failed to initialize TLS CA chain"); + return clib_error_return (0, "failed to initalize TLS CA chain"); + } + if (tls_init_ctr_drbgs_and_entropy (num_threads)) + { + clib_warning ("failed to initialize entropy and random generators"); + return clib_error_return (0, "failed to initialize entropy and random " + "generators"); + } + + memset (a, 0, sizeof (*a)); + memset (options, 0, sizeof (options)); + + a->session_cb_vft = &tls_app_cb_vft; + a->api_client_index = (1 << 24) + 1; + a->options = options; + a->options[APP_OPTIONS_SEGMENT_SIZE] = segment_size; + a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size; + a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size; + a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; + a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_GLOBAL_SCOPE; + + if (vnet_application_attach (a)) + { + clib_warning ("failed to attach tls app"); + return clib_error_return (0, "failed to attach tls app"); + } + + tm->app_index = a->app_index; + vec_validate (tm->ctx_pool, num_threads - 1); + clib_rwlock_init (&tm->half_open_rwlock); + + transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, + FIB_PROTOCOL_IP4, ~0); + transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, + FIB_PROTOCOL_IP6, ~0); + + return 0; +} + +VLIB_INIT_FUNCTION (tls_init); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c index b80aa3391a6..12f816bfe3b 100644 --- a/src/vnet/session/application.c +++ b/src/vnet/session/application.c @@ -209,6 +209,9 @@ application_del (application_t * app) */ application_local_sessions_del (app); + vec_free (app->tls_cert); + vec_free (app->tls_key); + application_table_del (app); pool_put (app_pool, app); } @@ -473,10 +476,22 @@ int application_open_session (application_t * app, session_endpoint_t * sep, u32 api_context) { - segment_manager_t *sm; int rv; /* Make sure we have a segment manager for connects */ + application_alloc_connects_segment_manager (app); + + if ((rv = session_open (app->index, sep, api_context))) + return rv; + + return 0; +} + +int +application_alloc_connects_segment_manager (application_t * app) +{ + segment_manager_t *sm; + if (app->connects_seg_manager == APP_INVALID_SEGMENT_MANAGER_INDEX) { sm = application_alloc_segment_manager (app); @@ -484,10 +499,6 @@ application_open_session (application_t * app, session_endpoint_t * sep, return -1; app->connects_seg_manager = segment_manager_index (sm); } - - if ((rv = session_open (app->index, sep, api_context))) - return rv; - return 0; } @@ -1156,6 +1167,30 @@ application_local_sessions_del (application_t * app) segment_manager_del (sm); } +clib_error_t * +vnet_app_add_tls_cert (vnet_app_add_tls_cert_args_t * a) +{ + application_t *app; + app = application_get (a->app_index); + if (!app) + return clib_error_return_code (0, VNET_API_ERROR_APPLICATION_NOT_ATTACHED, + 0, "app %u doesn't exist", a->app_index); + app->tls_cert = vec_dup (a->cert); + return 0; +} + +clib_error_t * +vnet_app_add_tls_key (vnet_app_add_tls_key_args_t * a) +{ + application_t *app; + app = application_get (a->app_index); + if (!app) + return clib_error_return_code (0, VNET_API_ERROR_APPLICATION_NOT_ATTACHED, + 0, "app %u doesn't exist", a->app_index); + app->tls_key = vec_dup (a->key); + return 0; +} + u8 * format_application_listener (u8 * s, va_list * args) { diff --git a/src/vnet/session/application.h b/src/vnet/session/application.h index 6fb0f066ad3..8e5c2de0494 100644 --- a/src/vnet/session/application.h +++ b/src/vnet/session/application.h @@ -20,12 +20,6 @@ #include <vnet/session/session.h> #include <vnet/session/segment_manager.h> #include <vnet/session/application_namespace.h> -typedef enum -{ - APP_SERVER, - APP_CLIENT, - APP_N_TYPES -} application_type_t; typedef struct _stream_session_cb_vft { @@ -49,8 +43,11 @@ typedef struct _stream_session_cb_vft /** Notify app that session was reset */ void (*session_reset_callback) (stream_session_t * s); - /** Direct RX callback, for built-in servers */ - int (*builtin_server_rx_callback) (stream_session_t * session); + /** Direct RX callback for built-in application */ + int (*builtin_app_rx_callback) (stream_session_t * session); + + /** Direct TX callback for built-in application */ + int (*builtin_app_tx_callback) (stream_session_t * session); } session_cb_vft_t; @@ -118,6 +115,16 @@ typedef struct _application /** Hash table of the app's local connects */ uword *local_connects; + + /* + * TLS Specific + */ + + /** Certificate to be used for listen sessions */ + u8 *tls_cert; + + /** PEM encoded key */ + u8 *tls_key; } application_t; #define APP_INVALID_INDEX ((u32)~0) @@ -152,6 +159,8 @@ segment_manager_t *application_get_listen_segment_manager (application_t * ls); segment_manager_t *application_get_connect_segment_manager (application_t * app); +int application_alloc_connects_segment_manager (application_t * app); + int application_is_proxy (application_t * app); int application_is_builtin (application_t * app); int application_is_builtin_proxy (application_t * app); @@ -245,6 +254,13 @@ application_local_session_listener_has_transport (local_session_t * ls) return (tp != TRANSPORT_PROTO_NONE); } +void send_local_session_disconnect_callback (u32 app_index, + local_session_t * ls); + +int application_connect (u32 client_index, u32 api_context, + session_endpoint_t * sep); + +uword unformat_application_proto (unformat_input_t * input, va_list * args); #endif /* SRC_VNET_SESSION_APPLICATION_H_ */ diff --git a/src/vnet/session/application_interface.c b/src/vnet/session/application_interface.c index fd079b5147b..12a5701fdf3 100644 --- a/src/vnet/session/application_interface.c +++ b/src/vnet/session/application_interface.c @@ -22,6 +22,61 @@ VPP's application/session API bind/unbind/connect/disconnect calls */ +/* + * TLS server cert and keys to be used for testing only + */ +const char test_srv_crt_rsa[] = + "-----BEGIN CERTIFICATE-----\r\n" + "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" + "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" + "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" + "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" + "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" + "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" + "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" + "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" + "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" + "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" + "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" + "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n" + "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n" + "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n" + "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n" + "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n" + "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n" + "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n"; +const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa); + +const char test_srv_key_rsa[] = + "-----BEGIN RSA PRIVATE KEY-----\r\n" + "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" + "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n" + "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n" + "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n" + "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n" + "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n" + "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n" + "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n" + "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n" + "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n" + "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n" + "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n" + "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n" + "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n" + "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n" + "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n" + "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n" + "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n" + "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n" + "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n" + "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n" + "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n" + "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n" + "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n" + "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n" + "-----END RSA PRIVATE KEY-----\r\n"; +const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa); + static u8 session_endpoint_is_local (session_endpoint_t * sep) { @@ -179,8 +234,8 @@ vnet_unbind_i (u32 app_index, session_handle_t handle) } int -vnet_connect_i (u32 client_index, u32 api_context, session_endpoint_t * sep, - void *mp) +application_connect (u32 client_index, u32 api_context, + session_endpoint_t * sep) { application_t *server, *client; u32 table_index, server_index, li; @@ -277,22 +332,23 @@ uword unformat_vnet_uri (unformat_input_t * input, va_list * args) { session_endpoint_t *sep = va_arg (*args, session_endpoint_t *); - u32 transport_proto = 0; - if (unformat (input, "%U://%U/%d", unformat_transport_proto, - &transport_proto, unformat_ip4_address, &sep->ip.ip4, - &sep->port)) + u32 transport_proto = 0, port; + + if (unformat + (input, "%U://%U/%d", unformat_transport_proto, &transport_proto, + unformat_ip4_address, &sep->ip.ip4, &port)) { sep->transport_proto = transport_proto; - sep->port = clib_host_to_net_u16 (sep->port); + sep->port = clib_host_to_net_u16 (port); sep->is_ip4 = 1; return 1; } - if (unformat (input, "%U://%U/%d", unformat_transport_proto, - &transport_proto, unformat_ip6_address, &sep->ip.ip6, - &sep->port)) + else if (unformat (input, "%U://%U/%d", unformat_transport_proto, + &transport_proto, unformat_ip6_address, &sep->ip.ip6, + &port)) { sep->transport_proto = transport_proto; - sep->port = clib_host_to_net_u16 (sep->port); + sep->port = clib_host_to_net_u16 (port); sep->is_ip4 = 0; return 1; } @@ -440,8 +496,8 @@ vnet_bind_uri (vnet_bind_args_t * a) int vnet_unbind_uri (vnet_unbind_args_t * a) { - stream_session_t *listener; session_endpoint_t sep = SESSION_ENDPOINT_NULL; + stream_session_t *listener; int rv; rv = parse_uri (a->uri, &sep); @@ -459,15 +515,15 @@ vnet_unbind_uri (vnet_unbind_args_t * a) clib_error_t * vnet_connect_uri (vnet_connect_args_t * a) { - session_endpoint_t sep_null = SESSION_ENDPOINT_NULL; + session_endpoint_t sep = SESSION_ENDPOINT_NULL; int rv; /* Parse uri */ - a->sep = sep_null; - rv = parse_uri (a->uri, &a->sep); + rv = parse_uri (a->uri, &sep); if (rv) return clib_error_return_code (0, rv, 0, "app init: %d", rv); - if ((rv = vnet_connect_i (a->app_index, a->api_context, &a->sep, a->mp))) + + if ((rv = application_connect (a->app_index, a->api_context, &sep))) return clib_error_return_code (0, rv, 0, "connect failed"); return 0; } @@ -523,8 +579,10 @@ vnet_unbind (vnet_unbind_args_t * a) clib_error_t * vnet_connect (vnet_connect_args_t * a) { + session_endpoint_t *sep = &a->sep; int rv; - if ((rv = vnet_connect_i (a->app_index, a->api_context, &a->sep, a->mp))) + + if ((rv = application_connect (a->app_index, a->api_context, sep))) return clib_error_return_code (0, rv, 0, "connect failed"); return 0; } diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h index 4b7a2dfa66c..2ab09d6f52d 100644 --- a/src/vnet/session/application_interface.h +++ b/src/vnet/session/application_interface.h @@ -30,7 +30,7 @@ typedef struct _vnet_app_attach_args_t /** Application and segment manager options */ u64 *options; - /* Namespace id */ + /** ID of the namespace the app has access to */ u8 *namespace_id; /** Session to application callback functions */ @@ -80,8 +80,11 @@ typedef struct _vnet_unbind_args_t typedef struct _vnet_connect_args { - char *uri; - session_endpoint_t sep; + union + { + char *uri; + session_endpoint_t sep; + }; u32 app_index; u32 api_context; @@ -96,6 +99,18 @@ typedef struct _vnet_disconnect_args_t u32 app_index; } vnet_disconnect_args_t; +typedef struct _vnet_application_add_tls_cert_args_t +{ + u32 app_index; + u8 *cert; +} vnet_app_add_tls_cert_args_t; + +typedef struct _vnet_application_add_tls_key_args_t +{ + u32 app_index; + u8 *key; +} vnet_app_add_tls_key_args_t; + /* Application attach options */ typedef enum { @@ -136,24 +151,24 @@ typedef enum _app_options_flags #undef _ } app_options_flags_t; -clib_error_t *vnet_application_attach (vnet_app_attach_args_t * a); -int vnet_application_detach (vnet_app_detach_args_t * a); - int vnet_bind_uri (vnet_bind_args_t *); int vnet_unbind_uri (vnet_unbind_args_t * a); clib_error_t *vnet_connect_uri (vnet_connect_args_t * a); -int vnet_disconnect_session (vnet_disconnect_args_t * a); +clib_error_t *vnet_application_attach (vnet_app_attach_args_t * a); clib_error_t *vnet_bind (vnet_bind_args_t * a); clib_error_t *vnet_connect (vnet_connect_args_t * a); clib_error_t *vnet_unbind (vnet_unbind_args_t * a); +int vnet_application_detach (vnet_app_detach_args_t * a); +int vnet_disconnect_session (vnet_disconnect_args_t * a); -int -api_parse_session_handle (u64 handle, u32 * session_index, - u32 * thread_index); +clib_error_t *vnet_app_add_tls_cert (vnet_app_add_tls_cert_args_t * a); +clib_error_t *vnet_app_add_tls_key (vnet_app_add_tls_key_args_t * a); -void send_local_session_disconnect_callback (u32 app_index, - local_session_t * ls); +extern const char test_srv_crt_rsa[]; +extern const u32 test_srv_crt_rsa_len; +extern const char test_srv_key_rsa[]; +extern const u32 test_srv_key_rsa_len; #endif /* __included_uri_h__ */ diff --git a/src/vnet/session/session.api b/src/vnet/session/session.api index a6739fc61bf..336b51cd333 100644 --- a/src/vnet/session/session.api +++ b/src/vnet/session/session.api @@ -51,6 +51,34 @@ define application_attach_reply { u8 segment_name[128]; }; +/** \brief Application add TLS certificate + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param cert_len - certificate length + @param cert - certificate as a string +*/ +autoreply define application_tls_cert_add { + u32 client_index; + u32 context; + u32 app_index; + u16 cert_len; + u8 cert[cert_len]; +}; + +/** \brief Application add TLS key + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param key_len - certificate length + @param key - PEM encoded key as a string +*/ +autoreply define application_tls_key_add { + u32 client_index; + u32 context; + u32 app_index; + u16 key_len; + u8 key[key_len]; +}; + /** \brief client->vpp, attach application to session layer @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request diff --git a/src/vnet/session/session.c b/src/vnet/session/session.c index de3cbc57d66..09e3ded6dff 100644 --- a/src/vnet/session/session.c +++ b/src/vnet/session/session.c @@ -103,7 +103,7 @@ session_alloc (u32 thread_index) return s; } -static void +void session_free (stream_session_t * s) { pool_put (session_manager_main.sessions[s->thread_index], s); @@ -111,7 +111,7 @@ session_free (stream_session_t * s) memset (s, 0xFA, sizeof (*s)); } -static int +int session_alloc_fifos (segment_manager_t * sm, stream_session_t * s) { svm_fifo_t *server_rx_fifo = 0, *server_tx_fifo = 0; @@ -463,9 +463,9 @@ session_enqueue_notify (stream_session_t * s, u8 block) return 0; } - /* Built-in server? Hand event to the callback... */ - if (app->cb_fns.builtin_server_rx_callback) - return app->cb_fns.builtin_server_rx_callback (s); + /* Built-in app? Hand event to the callback... */ + if (app->cb_fns.builtin_app_rx_callback) + return app->cb_fns.builtin_app_rx_callback (s); /* If no event, send one */ if (svm_fifo_set_event (s->server_rx_fifo)) @@ -548,13 +548,13 @@ stream_session_init_fifos_pointers (transport_connection_t * tc, int session_stream_connect_notify (transport_connection_t * tc, u8 is_fail) { - application_t *app; + u32 opaque = 0, new_ti, new_si; stream_session_t *new_s = 0; - u64 handle; - u32 opaque = 0; - int error = 0; segment_manager_t *sm; + application_t *app; u8 alloc_fifos; + int error = 0; + u64 handle; /* * Find connection handle and cleanup half-open table @@ -588,7 +588,11 @@ session_stream_connect_notify (transport_connection_t * tc, u8 is_fail) error = -1; } else - new_s->app_index = app->index; + { + new_s->app_index = app->index; + new_si = new_s->session_index; + new_ti = new_s->thread_index; + } } /* @@ -599,12 +603,18 @@ session_stream_connect_notify (transport_connection_t * tc, u8 is_fail) { SESSION_DBG ("failed to notify app"); if (!is_fail) - stream_session_disconnect_transport (new_s); + { + new_s = session_get (new_si, new_ti); + stream_session_disconnect_transport (new_s); + } } else { if (!is_fail) - new_s->session_state = SESSION_STATE_READY; + { + new_s = session_get (new_si, new_ti); + new_s->session_state = SESSION_STATE_READY; + } } return error; @@ -790,21 +800,8 @@ stream_session_accept (transport_connection_t * tc, u32 listener_index, return 0; } -/** - * Ask transport to open connection to remote transport endpoint. - * - * Stores handle for matching request with reply since the call can be - * asynchronous. For instance, for TCP the 3-way handshake must complete - * before reply comes. Session is only created once connection is established. - * - * @param app_index Index of the application requesting the connect - * @param st Session type requested. - * @param tep Remote transport endpoint - * @param opaque Opaque data (typically, api_context) the application expects - * on open completion. - */ int -session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) +session_open_cl (u32 app_index, session_endpoint_t * rmt, u32 opaque) { transport_connection_t *tc; transport_endpoint_t *tep; @@ -812,7 +809,44 @@ session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) stream_session_t *s; application_t *app; int rv; + + tep = session_endpoint_to_transport (rmt); + rv = tp_vfts[rmt->transport_proto].open (tep); + if (rv < 0) + { + SESSION_DBG ("Transport failed to open connection."); + return VNET_API_ERROR_SESSION_CONNECT; + } + + tc = tp_vfts[rmt->transport_proto].get_half_open ((u32) rv); + + /* For dgram type of service, allocate session and fifos now. + */ + app = application_get (app_index); + sm = application_get_connect_segment_manager (app); + + if (session_alloc_and_init (sm, tc, 1, &s)) + return -1; + s->app_index = app->index; + s->session_state = SESSION_STATE_CONNECTING_READY; + + /* Tell the app about the new event fifo for this session */ + app->cb_fns.session_connected_callback (app->index, opaque, s, 0); + + return 0; +} + +int +session_open_vc (u32 app_index, session_endpoint_t * rmt, u32 opaque) +{ + transport_connection_t *tc; + transport_endpoint_t *tep; u64 handle; + int rv; + + /* TODO until udp is fixed */ + if (rmt->transport_proto == TRANSPORT_PROTO_UDP) + return session_open_cl (app_index, rmt, opaque); tep = session_endpoint_to_transport (rmt); rv = tp_vfts[rmt->transport_proto].open (tep); @@ -826,38 +860,60 @@ session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) /* If transport offers a stream service, only allocate session once the * connection has been established. + * Add connection to half-open table and save app and tc index. The + * latter is needed to help establish the connection while the former + * is needed when the connect notify comes and we have to notify the + * external app */ - if (transport_is_stream (rmt->transport_proto)) - { - /* Add connection to half-open table and save app and tc index. The - * latter is needed to help establish the connection while the former - * is needed when the connect notify comes and we have to notify the - * external app - */ - handle = (((u64) app_index) << 32) | (u64) tc->c_index; - session_lookup_add_half_open (tc, handle); - - /* Store api_context (opaque) for when the reply comes. Not the nicest - * thing but better than allocating a separate half-open pool. - */ - tc->s_index = opaque; - } - /* For dgram type of service, allocate session and fifos now. + handle = (((u64) app_index) << 32) | (u64) tc->c_index; + session_lookup_add_half_open (tc, handle); + + /* Store api_context (opaque) for when the reply comes. Not the nicest + * thing but better than allocating a separate half-open pool. */ - else - { - app = application_get (app_index); - sm = application_get_connect_segment_manager (app); + tc->s_index = opaque; + return 0; +} - if (session_alloc_and_init (sm, tc, 1, &s)) - return -1; - s->app_index = app->index; - s->session_state = SESSION_STATE_CONNECTING_READY; +int +session_open_app (u32 app_index, session_endpoint_t * rmt, u32 opaque) +{ + session_endpoint_extended_t sep; + clib_memcpy (&sep, rmt, sizeof (*rmt)); + sep.app_index = app_index; + sep.opaque = opaque; - /* Tell the app about the new event fifo for this session */ - app->cb_fns.session_connected_callback (app->index, opaque, s, 0); - } - return 0; + return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) & sep); +} + +typedef int (*session_open_service_fn) (u32, session_endpoint_t *, u32); + +/* *INDENT-OFF* */ +static session_open_service_fn session_open_srv_fns[TRANSPORT_N_SERVICES] = { + session_open_vc, + session_open_cl, + session_open_app, +}; +/* *INDENT-ON* */ + +/** + * Ask transport to open connection to remote transport endpoint. + * + * Stores handle for matching request with reply since the call can be + * asynchronous. For instance, for TCP the 3-way handshake must complete + * before reply comes. Session is only created once connection is established. + * + * @param app_index Index of the application requesting the connect + * @param st Session type requested. + * @param tep Remote transport endpoint + * @param opaque Opaque data (typically, api_context) the application expects + * on open completion. + */ +int +session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) +{ + transport_service_type_t tst = tp_vfts[rmt->transport_proto].service_type; + return session_open_srv_fns[tst] (app_index, rmt, opaque); } /** @@ -869,7 +925,7 @@ session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) * @param tep Local endpoint to be listened on. */ int -stream_session_listen (stream_session_t * s, session_endpoint_t * sep) +session_listen_vc (stream_session_t * s, session_endpoint_t * sep) { transport_connection_t *tc; u32 tci; @@ -895,6 +951,36 @@ stream_session_listen (stream_session_t * s, session_endpoint_t * sep) return 0; } +int +session_listen_app (stream_session_t * s, session_endpoint_t * sep) +{ + session_endpoint_extended_t esep; + clib_memcpy (&esep, sep, sizeof (*sep)); + esep.app_index = s->app_index; + + return tp_vfts[sep->transport_proto].bind (s->session_index, + (transport_endpoint_t *) & esep); +} + +typedef int (*session_listen_service_fn) (stream_session_t *, + session_endpoint_t *); + +/* *INDENT-OFF* */ +static session_listen_service_fn +session_listen_srv_fns[TRANSPORT_N_SERVICES] = { + session_listen_vc, + session_listen_vc, + session_listen_app, +}; +/* *INDENT-ON* */ + +int +stream_session_listen (stream_session_t * s, session_endpoint_t * sep) +{ + transport_service_type_t tst = tp_vfts[sep->transport_proto].service_type; + return session_listen_srv_fns[tst] (s, sep); +} + /** * Ask transport to stop listening on local transport endpoint. * @@ -1039,6 +1125,14 @@ session_manager_get_evt_q_segment (void) return 0; } +/* *INDENT-OFF* */ +static session_fifo_rx_fn *session_tx_fns[TRANSPORT_TX_N_FNS] = { + session_tx_fifo_peek_and_snd, + session_tx_fifo_dequeue_and_snd, + session_tx_fifo_dequeue_internal +}; +/* *INDENT-ON* */ + /** * Initialize session layer for given transport proto and ip version * @@ -1061,15 +1155,18 @@ session_register_transport (transport_proto_t transport_proto, vec_validate (smm->session_tx_fns, session_type); /* *INDENT-OFF* */ - foreach_vlib_main (({ - next_index = vlib_node_add_next (this_vlib_main, session_queue_node.index, - output_node); - })); + if (output_node != ~0) + { + foreach_vlib_main (({ + next_index = vlib_node_add_next (this_vlib_main, + session_queue_node.index, + output_node); + })); + } /* *INDENT-ON* */ smm->session_type_to_next[session_type] = next_index; - session_manager_set_transport_rx_fn (session_type, - vft->tx_fifo_offset != 0); + smm->session_tx_fns[session_type] = session_tx_fns[vft->tx_type]; } transport_connection_t * @@ -1118,8 +1215,7 @@ session_manager_main_enable (vlib_main_t * vm) segment_manager_main_init_args_t _sm_args = { 0 }, *sm_args = &_sm_args; session_manager_main_t *smm = &session_manager_main; vlib_thread_main_t *vtm = vlib_get_thread_main (); - u32 num_threads; - u32 preallocated_sessions_per_worker; + u32 num_threads, preallocated_sessions_per_worker; int i, j; num_threads = 1 /* main thread */ + vtm->n_threads; diff --git a/src/vnet/session/session.h b/src/vnet/session/session.h index 364c6462dec..a6118d12766 100644 --- a/src/vnet/session/session.h +++ b/src/vnet/session/session.h @@ -114,6 +114,7 @@ typedef int extern session_fifo_rx_fn session_tx_fifo_peek_and_snd; extern session_fifo_rx_fn session_tx_fifo_dequeue_and_snd; +extern session_fifo_rx_fn session_tx_fifo_dequeue_internal; u8 session_node_lookup_fifo_event (svm_fifo_t * f, session_fifo_event_t * e); @@ -233,6 +234,8 @@ stream_session_is_valid (u32 si, u8 thread_index) } stream_session_t *session_alloc (u32 thread_index); +int session_alloc_fifos (segment_manager_t * sm, stream_session_t * s); +void session_free (stream_session_t * s); always_inline stream_session_t * session_get (u32 si, u32 thread_index) @@ -453,7 +456,6 @@ transport_connection_t *session_get_transport (stream_session_t * s); u32 stream_session_tx_fifo_max_dequeue (transport_connection_t * tc); -stream_session_t *session_alloc (u32 thread_index); int session_enqueue_stream_connection (transport_connection_t * tc, vlib_buffer_t * b, u32 offset, @@ -531,6 +533,13 @@ listen_session_get_from_handle (session_handle_t handle) return s; } +always_inline void +listen_session_parse_handle (session_handle_t handle, u32 * type, u32 * index) +{ + *type = handle >> 32; + *index = handle & 0xFFFFFFFF; +} + always_inline stream_session_t * listen_session_new (session_type_t type) { @@ -573,18 +582,6 @@ session_manager_get_listener (u8 session_type, u32 index) index); } -/** - * Set peek or dequeue function for given session type - * - * Reliable transport protocols will probably want to use a peek function - */ -always_inline void -session_manager_set_transport_rx_fn (session_type_t type, u8 is_peek) -{ - session_manager_main.session_tx_fns[type] = (is_peek) ? - session_tx_fifo_peek_and_snd : session_tx_fifo_dequeue_and_snd; -} - always_inline u8 session_manager_is_enabled () { diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c index f21701c3896..6c2643c8995 100755 --- a/src/vnet/session/session_api.c +++ b/src/vnet/session/session_api.c @@ -56,6 +56,8 @@ _(SESSION_ENABLE_DISABLE, session_enable_disable) \ _(APP_NAMESPACE_ADD_DEL, app_namespace_add_del) \ _(SESSION_RULE_ADD_DEL, session_rule_add_del) \ _(SESSION_RULES_DUMP, session_rules_dump) \ +_(APPLICATION_TLS_CERT_ADD, application_tls_cert_add) \ +_(APPLICATION_TLS_KEY_ADD, application_tls_key_add) \ static int session_send_memfd_fd (vl_api_registration_t * reg, const ssvm_private_t * sp) @@ -1102,6 +1104,64 @@ vl_api_session_rules_dump_t_handler (vl_api_one_map_server_dump_t * mp) /* *INDENT-ON* */ } +static void +vl_api_application_tls_cert_add_t_handler (vl_api_application_tls_cert_add_t * + mp) +{ + vl_api_app_namespace_add_del_reply_t *rmp; + vnet_app_add_tls_cert_args_t _a, *a = &_a; + clib_error_t *error; + u32 cert_len; + int rv = 0; + if (!session_manager_is_enabled ()) + { + rv = VNET_API_ERROR_FEATURE_DISABLED; + goto done; + } + memset (a, 0, sizeof (*a)); + a->app_index = clib_net_to_host_u32 (mp->app_index); + cert_len = clib_net_to_host_u16 (mp->cert_len); + vec_validate (a->cert, cert_len); + clib_memcpy (a->cert, mp->cert, cert_len); + if ((error = vnet_app_add_tls_cert (a))) + { + rv = clib_error_get_code (error); + clib_error_report (error); + } + vec_free (a->cert); +done: + REPLY_MACRO (VL_API_APPLICATION_TLS_CERT_ADD_REPLY); +} + +static void +vl_api_application_tls_key_add_t_handler (vl_api_application_tls_key_add_t * + mp) +{ + vl_api_app_namespace_add_del_reply_t *rmp; + vnet_app_add_tls_key_args_t _a, *a = &_a; + clib_error_t *error; + u32 key_len; + int rv = 0; + if (!session_manager_is_enabled ()) + { + rv = VNET_API_ERROR_FEATURE_DISABLED; + goto done; + } + memset (a, 0, sizeof (*a)); + a->app_index = clib_net_to_host_u32 (mp->app_index); + key_len = clib_net_to_host_u16 (mp->key_len); + vec_validate (a->key, key_len); + clib_memcpy (a->key, mp->key, key_len); + if ((error = vnet_app_add_tls_key (a))) + { + rv = clib_error_get_code (error); + clib_error_report (error); + } + vec_free (a->key); +done: + REPLY_MACRO (VL_API_APPLICATION_TLS_KEY_ADD_REPLY); +} + static clib_error_t * application_reaper_cb (u32 client_index) { diff --git a/src/vnet/session/session_debug.h b/src/vnet/session/session_debug.h index 702fe96ad33..12c667c08d8 100644 --- a/src/vnet/session/session_debug.h +++ b/src/vnet/session/session_debug.h @@ -33,7 +33,7 @@ typedef enum _session_evt_dbg #define SESSION_DEBUG (0 && TRANSPORT_DEBUG) #define SESSION_DEQ_NODE_EVTS (0) -#define SESSION_EVT_POLL_DBG (1) +#define SESSION_EVT_POLL_DBG (0) #if SESSION_DEBUG diff --git a/src/vnet/session/session_node.c b/src/vnet/session/session_node.c index 796056e7088..9cd0ef18415 100644 --- a/src/vnet/session/session_node.c +++ b/src/vnet/session/session_node.c @@ -389,6 +389,20 @@ session_tx_fifo_dequeue_and_snd (vlib_main_t * vm, vlib_node_runtime_t * node, n_tx_pkts, 0); } +int +session_tx_fifo_dequeue_internal (vlib_main_t * vm, + vlib_node_runtime_t * node, + session_manager_main_t * smm, + session_fifo_event_t * e0, + stream_session_t * s0, u32 thread_index, + int *n_tx_pkts) +{ + application_t *app; + app = application_get (s0->opaque); + svm_fifo_unset_event (s0->server_tx_fifo); + return app->cb_fns.builtin_app_tx_callback (s0); +} + always_inline stream_session_t * session_event_get_session (session_fifo_event_t * e, u8 thread_index) { @@ -505,7 +519,7 @@ session_node_lookup_fifo_event (svm_fifo_t * f, session_fifo_event_t * e) clib_memcpy (e, headp, q->elsize); found = session_node_cmp_event (e, f); if (found) - break; + return 1; if (++index == q->maxsize) index = 0; } @@ -657,7 +671,7 @@ skip_dequeue: continue; svm_fifo_unset_event (s0->server_rx_fifo); app = application_get (s0->app_index); - app->cb_fns.builtin_server_rx_callback (s0); + app->cb_fns.builtin_app_rx_callback (s0); break; case FIFO_EVENT_RPC: fp = e0->rpc_args.fp; diff --git a/src/vnet/session/session_test.c b/src/vnet/session/session_test.c index 85e8732ddab..91ac351f860 100644 --- a/src/vnet/session/session_test.c +++ b/src/vnet/session/session_test.c @@ -69,12 +69,6 @@ dummy_del_segment_callback (u32 client_index, const ssvm_private_t * fs) return 0; } -int -dummy_redirect_connect_callback (u32 client_index, void *mp) -{ - return VNET_API_ERROR_SESSION_REDIRECT; -} - void dummy_session_disconnect_callback (stream_session_t * s) { @@ -104,7 +98,7 @@ static session_cb_vft_t dummy_session_cbs = { .session_connected_callback = dummy_session_connected_callback, .session_accept_callback = dummy_session_accept_callback, .session_disconnect_callback = dummy_session_disconnect_callback, - .builtin_server_rx_callback = dummy_server_rx_callback, + .builtin_app_rx_callback = dummy_server_rx_callback, .add_segment_callback = dummy_add_segment_callback, .del_segment_callback = dummy_del_segment_callback, }; @@ -1316,8 +1310,10 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input) SESSION_TEST ((handle == SESSION_DROP_HANDLE), "lookup for 1.2.3.4/32 1234 " "5.6.7.8/16 432*2* in local table should return deny"); + connect_args.app_index = server_index; connect_args.sep = sep; + error = vnet_connect (&connect_args); SESSION_TEST ((error != 0), "connect should fail"); rv = clib_error_get_code (error); diff --git a/src/vnet/session/stream_session.h b/src/vnet/session/stream_session.h index 5c4601daa31..6f6dce66040 100644 --- a/src/vnet/session/stream_session.h +++ b/src/vnet/session/stream_session.h @@ -85,8 +85,13 @@ typedef struct _stream_session_t /** Transport specific */ u32 connection_index; - /** Parent listener session if the result of an accept */ - u32 listener_index; + union + { + /** Parent listener session if the result of an accept */ + u32 listener_index; + /** Opaque, for general use */ + u32 opaque; + }; CLIB_CACHE_LINE_ALIGN_MARK (pad); } stream_session_t; @@ -133,20 +138,27 @@ typedef struct local_session_ CLIB_CACHE_LINE_ALIGN_MARK (pad); } local_session_t; +#define foreach_session_endpoint_fields \ + foreach_transport_connection_fields \ + _(u8, transport_proto) \ + _(u8, app_proto) \ + typedef struct _session_endpoint { - /* - * Network specific - */ #define _(type, name) type name; - foreach_transport_connection_fields + foreach_session_endpoint_fields #undef _ - /* - * Session specific - */ - u8 transport_proto; /**< transport protocol for session */ } session_endpoint_t; +typedef struct _session_endpoint_extended +{ +#define _(type, name) type name; + foreach_session_endpoint_fields +#undef _ + u32 app_index; + u32 opaque; +} session_endpoint_extended_t; + #define SESSION_IP46_ZERO \ { \ .ip6 = { \ @@ -161,6 +173,7 @@ typedef struct _session_endpoint .is_ip4 = 0, \ .port = 0, \ .transport_proto = 0, \ + .app_proto = 0, \ } #define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep) diff --git a/src/vnet/session/transport.c b/src/vnet/session/transport.c index acbb4f65e7a..797bdad1eaa 100644 --- a/src/vnet/session/transport.c +++ b/src/vnet/session/transport.c @@ -96,6 +96,10 @@ unformat_transport_proto (unformat_input_t * input, va_list * args) *proto = TRANSPORT_PROTO_SCTP; else if (unformat (input, "SCTP")) *proto = TRANSPORT_PROTO_SCTP; + else if (unformat (input, "tls")) + *proto = TRANSPORT_PROTO_TLS; + else if (unformat (input, "TLS")) + *proto = TRANSPORT_PROTO_TLS; else return 0; return 1; diff --git a/src/vnet/session/transport.h b/src/vnet/session/transport.h index 76ee2262ecd..ed9eb02754e 100644 --- a/src/vnet/session/transport.h +++ b/src/vnet/session/transport.h @@ -25,20 +25,34 @@ */ typedef struct _transport_connection { - ip46_address_t rmt_ip; /**< Remote IP */ - ip46_address_t lcl_ip; /**< Local IP */ - u16 lcl_port; /**< Local port */ - u16 rmt_port; /**< Remote port */ - u8 proto; /**< Protocol id */ - u8 is_ip4; /**< Flag if IP4 connection */ - u32 fib_index; /**< Network namespace */ + /** Connection ID */ + union + { + /* + * Network connection ID tuple + */ + struct + { + ip46_address_t rmt_ip; /**< Remote IP */ + ip46_address_t lcl_ip; /**< Local IP */ + u16 lcl_port; /**< Local port */ + u16 rmt_port; /**< Remote port */ + u8 proto; /**< Protocol id */ + u8 is_ip4; /**< Flag if IP4 connection */ + u32 fib_index; /**< Network namespace */ + }; + /* + * Opaque connection ID + */ + u8 opaque_conn_id[42]; + }; u32 s_index; /**< Parent session index */ u32 c_index; /**< Connection index in transport pool */ u32 thread_index; /**< Worker-thread index */ - fib_node_index_t rmt_fei; /**< FIB entry index for rmt */ - dpo_id_t rmt_dpo; /**< Forwarding DPO for rmt */ + /*fib_node_index_t rmt_fei; + dpo_id_t rmt_dpo; */ #if TRANSPORT_DEBUG elog_track_t elog_track; /**< Event logging */ @@ -64,6 +78,7 @@ typedef struct _transport_connection #define c_cc_stat_tstamp connection.cc_stat_tstamp #define c_rmt_fei connection.rmt_fei #define c_rmt_dpo connection.rmt_dpo +#define c_opaque_id connection.opaque_conn_id } transport_connection_t; typedef enum _transport_proto @@ -72,6 +87,7 @@ typedef enum _transport_proto TRANSPORT_PROTO_UDP, TRANSPORT_PROTO_SCTP, TRANSPORT_PROTO_NONE, + TRANSPORT_PROTO_TLS, TRANSPORT_N_PROTO } transport_proto_t; diff --git a/src/vnet/session/transport_interface.h b/src/vnet/session/transport_interface.h index 09542e6a6aa..04a5ff263b1 100644 --- a/src/vnet/session/transport_interface.h +++ b/src/vnet/session/transport_interface.h @@ -19,9 +19,26 @@ #include <vnet/vnet.h> #include <vnet/session/transport.h> +typedef enum transport_dequeue_type_ +{ + TRANSPORT_TX_PEEK, /**< reliable transport protos */ + TRANSPORT_TX_DEQUEUE, /**< unreliable transport protos */ + TRANSPORT_TX_INTERNAL, /**< apps acting as transports */ + TRANSPORT_TX_N_FNS +} transport_tx_fn_type_t; + +typedef enum transport_service_type_ +{ + TRANSPORT_SERVICE_VC, /**< virtual circuit service */ + TRANSPORT_SERVICE_CL, /**< connectionless service */ + TRANSPORT_SERVICE_APP, /**< app transport service */ + TRANSPORT_N_SERVICES +} transport_service_type_t; + /* * Transport protocol virtual function table */ +/* *INDENT-OFF* */ typedef struct _transport_proto_vft { /* @@ -37,10 +54,11 @@ typedef struct _transport_proto_vft /* * Transmission */ - u32 (*push_header) (transport_connection_t * tconn, vlib_buffer_t * b); - u16 (*send_mss) (transport_connection_t * tc); - u32 (*send_space) (transport_connection_t * tc); - u32 (*tx_fifo_offset) (transport_connection_t * tc); + + u32 (*push_header) (transport_connection_t * tconn, vlib_buffer_t * b); + u16 (*send_mss) (transport_connection_t * tc); + u32 (*send_space) (transport_connection_t * tc); + u32 (*tx_fifo_offset) (transport_connection_t * tc); void (*update_time) (f64 time_now, u8 thread_index); /* @@ -56,11 +74,18 @@ typedef struct _transport_proto_vft u8 *(*format_connection) (u8 * s, va_list * args); u8 *(*format_listener) (u8 * s, va_list * args); u8 *(*format_half_open) (u8 * s, va_list * args); + + /* + * Properties + */ + transport_tx_fn_type_t tx_type; + transport_service_type_t service_type; } transport_proto_vft_t; +/* *INDENT-ON* */ extern transport_proto_vft_t *tp_vfts; -#define transport_proto_foreach(VAR, BODY) \ +#define transport_proto_foreach(VAR, BODY) \ do { \ for (VAR = 0; VAR < vec_len (tp_vfts); VAR++) \ if (tp_vfts[VAR].push_header != 0) \ diff --git a/src/vnet/tcp/tcp.c b/src/vnet/tcp/tcp.c index 8d222e3c684..6de48b2bd3a 100644 --- a/src/vnet/tcp/tcp.c +++ b/src/vnet/tcp/tcp.c @@ -1037,6 +1037,8 @@ const static transport_proto_vft_t tcp_proto = { .format_connection = format_tcp_session, .format_listener = format_tcp_listener_session, .format_half_open = format_tcp_half_open_session, + .tx_type = TRANSPORT_TX_PEEK, + .service_type = TRANSPORT_SERVICE_VC, }; /* *INDENT-ON* */ diff --git a/src/vnet/tcp/tcp_output.c b/src/vnet/tcp/tcp_output.c index ec8a251e6eb..bbcbc912175 100644 --- a/src/vnet/tcp/tcp_output.c +++ b/src/vnet/tcp/tcp_output.c @@ -389,7 +389,7 @@ tcp_make_options (tcp_connection_t * tc, tcp_options_t * opts, case TCP_STATE_SYN_SENT: return tcp_make_syn_options (opts, tc->rcv_wscale); default: - clib_warning ("Not handled!"); + clib_warning ("State not handled! %d", state); return 0; } } diff --git a/src/vnet/udp/udp.c b/src/vnet/udp/udp.c index 9284cd7b269..3b8b707abe1 100644 --- a/src/vnet/udp/udp.c +++ b/src/vnet/udp/udp.c @@ -321,7 +321,9 @@ const static transport_proto_vft_t udp_proto = { .send_space = udp_send_space, .format_connection = format_udp_session, .format_half_open = format_udp_half_open_session, - .format_listener = format_udp_listener_session + .format_listener = format_udp_listener_session, + .tx_type = TRANSPORT_TX_DEQUEUE, + .service_type = TRANSPORT_SERVICE_VC, }; /* *INDENT-ON* */ |