From a54b62d77794dee48510e7c128d3ab2fc90934b3 Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Wed, 21 Apr 2021 09:05:56 -0700 Subject: vcl session: refactor passing of crypto context Pass tls/quic crypto context using extended config instead of bloating conect/listen messages. Type: refactor Signed-off-by: Florin Coras Change-Id: I0bc637ae310e6c31ef1e16847501dcb81453ee94 --- src/plugins/hs_apps/echo_client.c | 19 +++++++++- src/plugins/hs_apps/echo_server.c | 16 +++++++- src/plugins/hs_apps/http_server.c | 20 +++++++++- src/plugins/hs_apps/proxy.c | 34 +++++++++++++++-- src/plugins/hs_apps/sapi/vpp_echo_bapi.c | 61 ++++++++++++++++++++++++++++-- src/plugins/hs_apps/sapi/vpp_echo_common.h | 3 ++ src/plugins/http_static/static_server.c | 20 +++++++++- src/plugins/quic/quic.c | 23 ++++++++--- 8 files changed, 176 insertions(+), 20 deletions(-) (limited to 'src/plugins') diff --git a/src/plugins/hs_apps/echo_client.c b/src/plugins/hs_apps/echo_client.c index 4680ae2f8d1..d641a9ec14e 100644 --- a/src/plugins/hs_apps/echo_client.c +++ b/src/plugins/hs_apps/echo_client.c @@ -718,6 +718,13 @@ echo_clients_start_tx_pthread (echo_client_main_t * ecm) return 0; } +static int +echo_client_transport_needs_crypto (transport_proto_t proto) +{ + return proto == TRANSPORT_PROTO_TLS || proto == TRANSPORT_PROTO_DTLS || + proto == TRANSPORT_PROTO_QUIC; +} + clib_error_t * echo_clients_connect (vlib_main_t * vm, u32 n_clients) { @@ -736,10 +743,18 @@ echo_clients_connect (vlib_main_t * vm, u32 n_clients) clib_memcpy (&a->sep_ext, &sep, sizeof (sep)); a->api_context = i; a->app_index = ecm->app_index; - a->sep_ext.ckpair_index = ecm->ckpair_index; + if (echo_client_transport_needs_crypto (a->sep_ext.transport_proto)) + { + session_endpoint_alloc_ext_cfg (&a->sep_ext, + TRANSPORT_ENDPT_EXT_CFG_CRYPTO); + a->sep_ext.ext_cfg->crypto.ckpair_index = ecm->ckpair_index; + } vlib_worker_thread_barrier_sync (vm); - if ((rv = vnet_connect (a))) + rv = vnet_connect (a); + if (a->sep_ext.ext_cfg) + clib_mem_free (a->sep_ext.ext_cfg); + if (rv) { vlib_worker_thread_barrier_release (vm); return clib_error_return (0, "connect returned: %d", rv); diff --git a/src/plugins/hs_apps/echo_server.c b/src/plugins/hs_apps/echo_server.c index 63150d5a8d8..b75a3667e83 100644 --- a/src/plugins/hs_apps/echo_server.c +++ b/src/plugins/hs_apps/echo_server.c @@ -384,6 +384,13 @@ echo_server_detach (void) return rv; } +static int +echo_client_transport_needs_crypto (transport_proto_t proto) +{ + return proto == TRANSPORT_PROTO_TLS || proto == TRANSPORT_PROTO_DTLS || + proto == TRANSPORT_PROTO_QUIC; +} + static int echo_server_listen () { @@ -398,7 +405,12 @@ echo_server_listen () return -1; } args->app_index = esm->app_index; - args->sep_ext.ckpair_index = esm->ckpair_index; + if (echo_client_transport_needs_crypto (args->sep_ext.transport_proto)) + { + session_endpoint_alloc_ext_cfg (&args->sep_ext, + TRANSPORT_ENDPT_EXT_CFG_CRYPTO); + args->sep_ext.ext_cfg->crypto.ckpair_index = esm->ckpair_index; + } if (args->sep_ext.transport_proto == TRANSPORT_PROTO_UDP) { @@ -407,6 +419,8 @@ echo_server_listen () rv = vnet_listen (args); esm->listener_handle = args->handle; + if (args->sep_ext.ext_cfg) + clib_mem_free (args->sep_ext.ext_cfg); return rv; } diff --git a/src/plugins/hs_apps/http_server.c b/src/plugins/hs_apps/http_server.c index 72e3f3230b1..34892b6bd4d 100644 --- a/src/plugins/hs_apps/http_server.c +++ b/src/plugins/hs_apps/http_server.c @@ -759,6 +759,13 @@ http_server_attach () return 0; } +static int +http_transport_needs_crypto (transport_proto_t proto) +{ + return proto == TRANSPORT_PROTO_TLS || proto == TRANSPORT_PROTO_DTLS || + proto == TRANSPORT_PROTO_QUIC; +} + static int http_server_listen () { @@ -766,6 +773,7 @@ http_server_listen () http_server_main_t *hsm = &http_server_main; vnet_listen_args_t _a, *a = &_a; char *uri = "tcp://0.0.0.0/80"; + int rv; clib_memset (a, 0, sizeof (*a)); a->app_index = hsm->app_index; @@ -777,9 +785,17 @@ http_server_listen () return -1; clib_memcpy (&a->sep_ext, &sep, sizeof (sep)); - a->sep_ext.ckpair_index = hsm->ckpair_index; + if (http_transport_needs_crypto (a->sep_ext.transport_proto)) + { + session_endpoint_alloc_ext_cfg (&a->sep_ext, + TRANSPORT_ENDPT_EXT_CFG_CRYPTO); + a->sep_ext.ext_cfg->crypto.ckpair_index = hsm->ckpair_index; + } - return vnet_listen (a); + rv = vnet_listen (a); + if (a->sep_ext.ext_cfg) + clib_mem_free (a->sep_ext.ext_cfg); + return rv; } static void diff --git a/src/plugins/hs_apps/proxy.c b/src/plugins/hs_apps/proxy.c index 000815813ce..1a49a0f1f3a 100644 --- a/src/plugins/hs_apps/proxy.c +++ b/src/plugins/hs_apps/proxy.c @@ -42,6 +42,8 @@ proxy_cb_fn (void *data, u32 data_len) a.app_index = pa->app_index; clib_memcpy (&a.sep_ext, &pa->sep, sizeof (pa->sep)); vnet_connect (&a); + if (a.sep_ext.ext_cfg) + clib_mem_free (a.sep_ext.ext_cfg); } static void @@ -50,6 +52,8 @@ proxy_call_main_thread (vnet_connect_args_t * a) if (vlib_get_thread_index () == 0) { vnet_connect (a); + if (a->sep_ext.ext_cfg) + clib_mem_free (a->sep_ext.ext_cfg); } else { @@ -282,6 +286,12 @@ proxy_add_segment_callback (u32 client_index, u64 segment_handle) return -1; } +static int +proxy_transport_needs_crypto (transport_proto_t proto) +{ + return proto == TRANSPORT_PROTO_TLS; +} + static int proxy_rx_callback (session_t * s) { @@ -353,9 +363,16 @@ proxy_rx_callback (session_t * s) clib_spinlock_unlock_if_init (&pm->sessions_lock); clib_memcpy (&a->sep_ext, &pm->client_sep, sizeof (pm->client_sep)); - a->sep_ext.ckpair_index = pm->ckpair_index; a->api_context = proxy_index; a->app_index = pm->active_open_app_index; + + if (proxy_transport_needs_crypto (a->sep.transport_proto)) + { + session_endpoint_alloc_ext_cfg (&a->sep_ext, + TRANSPORT_ENDPT_EXT_CFG_CRYPTO); + a->sep_ext.ext_cfg->crypto.ckpair_index = pm->ckpair_index; + } + proxy_call_main_thread (a); } @@ -697,13 +714,24 @@ proxy_server_listen () { proxy_main_t *pm = &proxy_main; vnet_listen_args_t _a, *a = &_a; + int rv; + clib_memset (a, 0, sizeof (*a)); a->app_index = pm->server_app_index; clib_memcpy (&a->sep_ext, &pm->server_sep, sizeof (pm->server_sep)); - a->sep_ext.ckpair_index = pm->ckpair_index; + if (proxy_transport_needs_crypto (a->sep.transport_proto)) + { + session_endpoint_alloc_ext_cfg (&a->sep_ext, + TRANSPORT_ENDPT_EXT_CFG_CRYPTO); + a->sep_ext.ext_cfg->crypto.ckpair_index = pm->ckpair_index; + } + + rv = vnet_listen (a); + if (a->sep_ext.ext_cfg) + clib_mem_free (a->sep_ext.ext_cfg); - return vnet_listen (a); + return rv; } static void diff --git a/src/plugins/hs_apps/sapi/vpp_echo_bapi.c b/src/plugins/hs_apps/sapi/vpp_echo_bapi.c index 0a0168b070e..7cf15eb1486 100644 --- a/src/plugins/hs_apps/sapi/vpp_echo_bapi.c +++ b/src/plugins/hs_apps/sapi/vpp_echo_bapi.c @@ -100,6 +100,31 @@ echo_send_del_cert_key (echo_main_t * em) vl_msg_api_send_shmem (em->vl_input_queue, (u8 *) & bmp); } +static u8 +echo_transport_needs_crypto (transport_proto_t proto) +{ + return proto == TRANSPORT_PROTO_TLS || proto == TRANSPORT_PROTO_DTLS || + proto == TRANSPORT_PROTO_QUIC; +} + +static void +echo_msg_add_crypto_ext_config (echo_main_t *em, uword *offset) +{ + transport_endpt_ext_cfg_t cfg; + svm_fifo_chunk_t *c; + + c = echo_segment_alloc_chunk (ECHO_MQ_SEG_HANDLE, 0, sizeof (cfg), offset); + if (!c) + return; + + memset (&cfg, 0, sizeof (cfg)); + cfg.type = TRANSPORT_ENDPT_EXT_CFG_CRYPTO; + cfg.len = sizeof (cfg); + cfg.crypto.ckpair_index = em->ckpair_index; + cfg.crypto.crypto_engine = em->crypto_engine; + clib_memcpy_fast (c->data, &cfg, cfg.len); +} + void echo_send_listen (echo_main_t * em, ip46_address_t * ip) { @@ -117,8 +142,8 @@ echo_send_listen (echo_main_t * em, ip46_address_t * ip) clib_memcpy_fast (&mp->ip, ip, sizeof (mp->ip)); mp->port = em->uri_elts.port; mp->proto = em->uri_elts.transport_proto; - mp->ckpair_index = em->ckpair_index; - mp->crypto_engine = em->crypto_engine; + if (echo_transport_needs_crypto (mp->proto)) + echo_msg_add_crypto_ext_config (em, &mp->ext_config); app_send_ctrl_evt_to_vpp (mq, app_evt); } @@ -163,8 +188,8 @@ echo_send_connect (echo_main_t * em, void *args) mp->port = em->uri_elts.port; mp->proto = em->uri_elts.transport_proto; mp->parent_handle = a->parent_session_handle; - mp->ckpair_index = em->ckpair_index; - mp->crypto_engine = em->crypto_engine; + if (echo_transport_needs_crypto (mp->proto)) + echo_msg_add_crypto_ext_config (em, &mp->ext_config); mp->flags = em->connect_flag; app_send_ctrl_evt_to_vpp (mq, app_evt); } @@ -332,6 +357,34 @@ echo_segment_attach_mq (uword segment_handle, uword mq_offset, u32 mq_index, return 0; } +svm_fifo_chunk_t * +echo_segment_alloc_chunk (uword segment_handle, u32 slice_index, u32 size, + uword *offset) +{ + echo_main_t *em = &echo_main; + svm_fifo_chunk_t *c; + fifo_segment_t *fs; + u32 fs_index; + + fs_index = echo_segment_lookup (segment_handle); + if (fs_index == (u32) ~0) + { + ECHO_LOG (0, "ERROR: mq segment %lx for is not attached!", + segment_handle); + return 0; + } + + clib_spinlock_lock (&em->segment_handles_lock); + + fs = fifo_segment_get_segment (&em->segment_main, fs_index); + c = fifo_segment_alloc_chunk_w_slice (fs, slice_index, size); + *offset = fifo_segment_chunk_offset (fs, c); + + clib_spinlock_unlock (&em->segment_handles_lock); + + return c; +} + /* * * Binary API callbacks diff --git a/src/plugins/hs_apps/sapi/vpp_echo_common.h b/src/plugins/hs_apps/sapi/vpp_echo_common.h index dc5f7dfb9b5..4760f3b06e3 100644 --- a/src/plugins/hs_apps/sapi/vpp_echo_common.h +++ b/src/plugins/hs_apps/sapi/vpp_echo_common.h @@ -448,6 +448,9 @@ int echo_attach_session (uword segment_handle, uword rxf_offset, uword mq_offset, uword txf_offset, echo_session_t *s); int echo_segment_attach_mq (uword segment_handle, uword mq_offset, u32 mq_index, svm_msg_q_t **mq); +svm_fifo_chunk_t *echo_segment_alloc_chunk (uword segment_handle, + u32 slice_index, u32 size, + uword *offset); /* Binary API */ diff --git a/src/plugins/http_static/static_server.c b/src/plugins/http_static/static_server.c index b354666f816..23860b083d8 100644 --- a/src/plugins/http_static/static_server.c +++ b/src/plugins/http_static/static_server.c @@ -1185,6 +1185,13 @@ http_static_server_attach () return 0; } +static int +http_static_transport_needs_crypto (transport_proto_t proto) +{ + return proto == TRANSPORT_PROTO_TLS || proto == TRANSPORT_PROTO_DTLS || + proto == TRANSPORT_PROTO_QUIC; +} + static int http_static_server_listen () { @@ -1192,6 +1199,7 @@ http_static_server_listen () session_endpoint_cfg_t sep = SESSION_ENDPOINT_CFG_NULL; vnet_listen_args_t _a, *a = &_a; char *uri = "tcp://0.0.0.0/80"; + int rv; clib_memset (a, 0, sizeof (*a)); a->app_index = hsm->app_index; @@ -1203,9 +1211,17 @@ http_static_server_listen () return -1; clib_memcpy (&a->sep_ext, &sep, sizeof (sep)); - a->sep_ext.ckpair_index = hsm->ckpair_index; + if (http_static_transport_needs_crypto (a->sep_ext.transport_proto)) + { + session_endpoint_alloc_ext_cfg (&a->sep_ext, + TRANSPORT_ENDPT_EXT_CFG_CRYPTO); + a->sep_ext.ext_cfg->crypto.ckpair_index = hsm->ckpair_index; + } - return vnet_listen (a); + rv = vnet_listen (a); + if (a->sep_ext.ext_cfg) + clib_mem_free (a->sep_ext.ext_cfg); + return rv; } static void diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c index cf4d1470ffd..cf697278cb7 100644 --- a/src/plugins/quic/quic.c +++ b/src/plugins/quic/quic.c @@ -1304,6 +1304,7 @@ static int quic_connect_connection (session_endpoint_cfg_t * sep) { vnet_connect_args_t _cargs, *cargs = &_cargs; + transport_endpt_crypto_cfg_t *ccfg; quic_main_t *qm = &quic_main; quic_ctx_t *ctx; app_worker_t *app_wrk; @@ -1312,6 +1313,11 @@ quic_connect_connection (session_endpoint_cfg_t * sep) u32 thread_index = vlib_get_thread_index (); int error; + if (!sep->ext_cfg) + return -1; + + ccfg = &sep->ext_cfg->crypto; + clib_memset (cargs, 0, sizeof (*cargs)); ctx_index = quic_ctx_alloc (thread_index); ctx = quic_ctx_get (ctx_index, thread_index); @@ -1323,8 +1329,8 @@ quic_connect_connection (session_endpoint_cfg_t * sep) ctx->conn_state = QUIC_CONN_STATE_HANDSHAKE; ctx->client_opaque = sep->opaque; ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; - if (sep->hostname) - ctx->srv_hostname = format (0, "%v", sep->hostname); + if (ccfg->hostname[0]) + ctx->srv_hostname = format (0, "%s", ccfg->hostname); else /* needed by quic for crypto + determining client / server */ ctx->srv_hostname = format (0, "%U", format_ip46_address, @@ -1342,8 +1348,8 @@ quic_connect_connection (session_endpoint_cfg_t * sep) cargs->sep_ext.ns_index = app->ns_index; cargs->sep_ext.transport_flags = TRANSPORT_CFG_F_CONNECTED; - ctx->crypto_engine = sep->crypto_engine; - ctx->ckpair_index = sep->ckpair_index; + ctx->crypto_engine = ccfg->crypto_engine; + ctx->ckpair_index = ccfg->ckpair_index; if ((error = quic_acquire_crypto_context (ctx))) return error; @@ -1435,6 +1441,7 @@ static u32 quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep) { vnet_listen_args_t _bargs, *args = &_bargs; + transport_endpt_crypto_cfg_t *ccfg; quic_main_t *qm = &quic_main; session_handle_t udp_handle; session_endpoint_cfg_t *sep; @@ -1447,6 +1454,10 @@ quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep) int rv; sep = (session_endpoint_cfg_t *) tep; + if (!sep->ext_cfg) + return -1; + + ccfg = &sep->ext_cfg->crypto; app_wrk = app_worker_get (sep->app_wrk_index); /* We need to call this because we call app_worker_init_connected in * quic_accept_stream, which assumes the connect segment manager exists */ @@ -1483,8 +1494,8 @@ quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep) lctx->parent_app_id = app_wrk->app_index; lctx->udp_session_handle = udp_handle; lctx->c_s_index = quic_listen_session_index; - lctx->crypto_engine = sep->crypto_engine; - lctx->ckpair_index = sep->ckpair_index; + lctx->crypto_engine = ccfg->crypto_engine; + lctx->ckpair_index = ccfg->ckpair_index; if (quic_acquire_crypto_context (lctx)) return -1; -- cgit 1.2.3-korg