Handshake completion is now tracked via a ctx flag so we no longer need
ctx_handshake_is_over.
Also, as we no longer prealloc application sessions, improve ctx state
formatting.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If48588ecde13e56fb99d1a46238bda53ed4eae1b
_clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fffb3a7e1b5 "%s:%d (%s) assertion `%s' fails") at src/vppinfra/error.c:143
mbedtls_ctx_get (ctx_index=0) at src/plugins/tlsmbedtls/tls_mbedtls.c:114
tls_ctx_get (ctx_handle=536870912) at src/vnet/tls/tls.c:310
tls_app_session_cleanup (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/tls/tls.c:624
app_worker_cleanup_notify (app_wrk=0x7fffbef95f80, s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/application_worker.c:445
session_cleanup_notify (s=0x7fffbf102040, ntf=SESSION_CLEANUP_SESSION) at src/vnet/session/session.c:262
session_free_w_fifos (s=0x7fffbf102040) at src/vnet/session/session.c:268
session_delete (s=0x7fffbf102040) at src/vnet/session/session.c:287
session_transport_delete_notify (tc=0x7fffbdf63c40) at src/vnet/session/session.c:1159
tcp_handle_cleanups (wrk=0x7fffbef46d40, now=133.30033046694487) at src/vnet/tcp/tcp.c:1298
tcp_update_time (now=133.30033046694487, thread_index=2 '\002') at src/vnet/tcp/tcp.c:1309
session_update_time_subscribers (smm=0x7ffff7f75ce0 <session_main>, now=133.30033046694487, thread_index=2) at src/vnet/session/session_node.c:1817
session_queue_node_fn (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, frame=0x0) at src/vnet/session/session_node.c:1934
dispatch_node (vm=0x7fffbdfad1c0, node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT, dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0, last_time_stamp=4722227957546624) at src/vlib/main.c:960
Putting a breakpoint in gdb, I found out ctx was free in mbedtls_app_close.
Looking at app_close function in picotls and openssl, I don't see they
free ctx and they don't crash when processing cleanup. I am inclined to
think that mbedtls_ctx_free should not be called in mbedtls_app_close
at src/plugins/tlsmbedtls/tls_mbedtls.c:92
at src/plugins/tlsmbedtls/tls_mbedtls.c:559
at src/vnet/tls/tls.c:360
thread_index=2) at src/vnet/tls/tls.c:762
conn_index=536870912, thread_index=2 '\002')
at src/vnet/session/transport.c:332
at src/vnet/session/session.c:1608
elt=0x7fffbdfef3dc)
at src/vnet/session/session_node.c:1672
node=0x7fffbe0b1340, frame=0x0)
at src/vnet/session/session_node.c:1966
node=0x7fffbe0b1340, type=VLIB_NODE_TYPE_INPUT,
dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x0,
last_time_stamp=4721919444027682)
at src/vlib/main.c:960
Type: fix
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ic5c13e659aee618c8accee42af9f40931b62f467
Type: improvement
- allow apps to request rescheduling of tx events via
SESSION_F_CUSTOM_TX flag
- limit max burst per session custom tx dispatch
In tls
- use the new infra to reschedule tx events
- use max burst bytes as upper limit to number of bytes to be encrypted
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c
Type: refactor
This patch does the following conversions
TLS_ENGINE_X -> CRYPTO_ENGINE_X
tls_engine_type_t -> crypto_engine_t
It does not change numbering of engines
Change-Id: I872dfaec3a6713bf4229c84d1ffd98b8b2419995
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Type: feature
This changes the behavior of both API calls
APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD
certificates and keys aren't bound to an app, they are
passed to it via connect / listen using the message
queue.
This should be followed by a per protocol (QUIC/TLS)
crypto_context store to save devrived structs
Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
The vlib init function subsystem now supports a mix of procedural and
formally-specified ordering constraints. We should eliminate procedural
knowledge wherever possible.
The following schemes are *roughly* equivalent:
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
clib_error_t *error;
... do some stuff...
if ((error = vlib_call_init_function (init_runs_next)))
return error;
...
}
VLIB_INIT_FUNCTION (init_runs_first);
and
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
... do some stuff...
}
VLIB_INIT_FUNCTION (init_runs_first) =
{
.runs_before = VLIB_INITS("init_runs_next"),
};
The first form will [most likely] call "init_runs_next" on the
spot. The second form means that "init_runs_first" runs before
"init_runs_next," possibly much earlier in the sequence.
Please DO NOT construct sets of init functions where A before B
actually means A *right before* B. It's not necessary - simply combine
A and B - and it leads to hugely annoying debugging exercises when
trying to switch from ad-hoc procedural ordering constraints to formal
ordering constraints.
Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c
Signed-off-by: Dave Barach <dave@barachs.net>
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Problems Addressed:
- Contention of cursize by producer and consumer.
- Reduce the no of modulo operations.
Changes:
- Synchronization between producer and consumer changed from cursize
to head and tail indexes
Implications: reduces the usable size of fifo by 1.
- Using weaker memory ordering C++11 atomics to access head and tail
based on producer and consumer role.
- Head and tail indexes are unsigned 32 bit integers. Additions and
subtraction on them are implicit 32 bit Modulo operation.
- Adding weaker memory ordering variants of max_enq, max_deq, is_empty
and is_full Using them appropriately in all places.
Perfomance improvement (iperf3 via Hoststack):
iperf3 Server: Marvell ThunderX2(AArch64) - iperf3 Client: Skylake(x86)
~6%(256 rxd/txd) - ~11%(2048 rxd/txd)
Change-Id: I1d484e000e437430fdd5a819657d1c6b62443018
Signed-off-by: Sirshak Das <sirshak.das@arm.com>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Rename core data structures. This will break compatibility for out of
tree builtin apps.
- stream_session_t to session_t
- server_rx/tx_fifo to rx/tx_fifo
- stream_session.h to session_types.h
- update copyright
Change-Id: I414097c6e28bcbea866fbf13b8773c7db3f49325
Signed-off-by: Florin Coras <fcoras@cisco.com>
TLS can enqueue events to itself when app session queue cannot be
entirely drained. If a pending disconnect is handled before any such
event, session layer may try to dequeue data on deallocated sessions.
Change-Id: I5bfc4d53ce95bc16b6a01e1b0e644aafa1ca311b
Signed-off-by: Florin Coras <fcoras@cisco.com>
move un-necessary session based operation to listener
split orignal openssl ctx to be session based ctx and listen ctx
Change-Id: Id6c54f47b0e2171fd8924a45efcd5266ce5402d5
Signed-off-by: Ping Yu <ping.yu@intel.com>
- add infra for pluggable tls "engines"
- makes mbedtls specific code a plugin
Change-Id: I2c5b099e2b69d2be0038e3ef02b208ff907727e7
Signed-off-by: Florin Coras <fcoras@cisco.com>
