Merge pull request #232 from kronosnet/stable1-proposed

stable1-proposed

build-aux/knet_valgrind_memcheck.supp

@@ -727,3 +727,115 @@
    fun:start_thread
    fun:clone
 }
+{
+   Opensuse 15 libnss
+   Memcheck:Cond
+   fun:__memcmp_sse4_1
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:FIPS_selftest
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:FIPS_mode_set
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:call_init.part.0
+   fun:_dl_init
+   fun:dl_open_worker
+   fun:_dl_catch_error
+   fun:_dl_open
+   fun:dlopen_doit
+}
+{
+   Opensuse 15 libnss
+   Memcheck:Cond
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:FIPS_mode_set
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:call_init.part.0
+   fun:_dl_init
+   fun:dl_open_worker
+   fun:_dl_catch_error
+   fun:_dl_open
+   fun:dlopen_doit
+   fun:_dl_catch_error
+   fun:_dlerror_run
+   fun:dlopen@@GLIBC_2.2.5
+}
+{
+   Opensuse tumbleweed libnss
+   Memcheck:Cond
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_generate
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_instantiate
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_get0_public
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:encrypt_openssl
+   fun:opensslcrypto_encrypt_and_signv
+   fun:opensslcrypto_encrypt_and_sign
+   fun:_handle_check_each
+   fun:_send_pings
+   fun:_handle_heartbt_thread
+   fun:start_thread
+}
+{
+   Opensuse tumbleweed libnss
+   Memcheck:Cond
+   obj:/usr/lib64/libcrypto.so.1.1
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_generate
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_instantiate
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_get0_public
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:encrypt_openssl
+   fun:opensslcrypto_encrypt_and_signv
+   fun:opensslcrypto_encrypt_and_sign
+   fun:_handle_check_each
+   fun:_send_pings
+   fun:_handle_heartbt_thread
+}
+{
+   Opensuse tumbleweed libnss
+   Memcheck:Cond
+   obj:/usr/lib64/libcrypto.so.1.1
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_generate
+   fun:RAND_DRBG_bytes
+   fun:encrypt_openssl
+   fun:opensslcrypto_encrypt_and_signv
+   fun:opensslcrypto_encrypt_and_sign
+   fun:_handle_check_each
+   fun:_send_pings
+   fun:_handle_heartbt_thread
+   fun:start_thread
+   fun:clone
+}
+{
+   Opensuse tumbleweed libnss
+   Memcheck:Cond
+   obj:/usr/lib64/libcrypto.so.1.1
+   fun:RAND_DRBG_generate
+   fun:RAND_DRBG_bytes
+   fun:encrypt_openssl
+   fun:opensslcrypto_encrypt_and_signv
+   fun:opensslcrypto_encrypt_and_sign
+   fun:_handle_check_each
+   fun:_send_pings
+   fun:_handle_heartbt_thread
+   fun:start_thread
+   fun:clone
+}
+{
+   Opensuse tumbleweed libnss
+   Memcheck:Param
+   sendmsg(msg.msg_iov[0])
+   fun:sendmsg
+   fun:_sendmmsg
+   fun:_dispatch_to_links
+   fun:_parse_recv_from_sock
+   fun:_handle_send_to_links
+   fun:_handle_send_to_links_thread
+   fun:start_thread
+   fun:clone
+}

libknet/Makefile.am

@@ -18,7 +18,7 @@ EXTRA_DIST		= $(SYMFILE)
 SUBDIRS			= . tests
 
 # https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
-libversion		= 3:0:2
+libversion		= 4:0:3
 
 # override global LIBS that pulls in lots of craft we don't need here
 LIBS			=
@@ -36,6 +36,7 @@ sources			= \
 			  links_acl_loopback.c \
 			  logging.c \
 			  netutils.c \
+			  onwire.c \
 			  threads_common.c \
 			  threads_dsthandler.c \
 			  threads_heartbeat.c \

libknet/crypto.c

@@ -151,16 +151,18 @@ int crypto_init(
 		goto out;
 	}
 
-	log_debug(knet_h, KNET_SUB_CRYPTO, "security network overhead: %zu", knet_h->sec_header_size);
-
 out:
 	if (!err) {
 		knet_h->crypto_instance = new;
-		knet_h->sec_header_size = new->sec_header_size;
 		knet_h->sec_block_size = new->sec_block_size;
 		knet_h->sec_hash_size = new->sec_hash_size;
 		knet_h->sec_salt_size = new->sec_salt_size;
 
+		log_debug(knet_h, KNET_SUB_CRYPTO, "Hash size: %zu salt size: %zu block size: %zu",
+			  knet_h->sec_hash_size,
+			  knet_h->sec_salt_size,
+			  knet_h->sec_block_size);
+
 		if (current) {
 			if (crypto_modules_cmds[current->model].ops->fini != NULL) {
 				crypto_modules_cmds[current->model].ops->fini(knet_h, current);
@@ -195,7 +197,6 @@ void crypto_fini(
 			crypto_modules_cmds[knet_h->crypto_instance->model].ops->fini(knet_h, knet_h->crypto_instance);
 		}
 		free(knet_h->crypto_instance);
-		knet_h->sec_header_size = 0;
 		knet_h->sec_block_size = 0;
 		knet_h->sec_hash_size = 0;
 		knet_h->sec_salt_size = 0;

libknet/crypto_model.h

@@ -14,13 +14,12 @@
 struct crypto_instance {
 	int	model;
 	void	*model_instance;
-	size_t	sec_header_size;
 	size_t	sec_block_size;
 	size_t	sec_hash_size;
 	size_t	sec_salt_size;
 };
 
-#define KNET_CRYPTO_MODEL_ABI 2
+#define KNET_CRYPTO_MODEL_ABI 3
 
 /*
  * see compress_model.h for explanation of the various lib related functions

libknet/crypto_nss.c

@@ -801,10 +801,7 @@ static int nsscrypto_init(
 		goto out_err;
 	}
 
-	crypto_instance->sec_header_size = 0;
-
 	if (nsscrypto_instance->crypto_hash_type > 0) {
-		crypto_instance->sec_header_size += nsshash_len[nsscrypto_instance->crypto_hash_type];
 		crypto_instance->sec_hash_size = nsshash_len[nsscrypto_instance->crypto_hash_type];
 	}
 
@@ -821,8 +818,6 @@ static int nsscrypto_init(
 			}
 		}
 
-		crypto_instance->sec_header_size += (block_size * 2);
-		crypto_instance->sec_header_size += SALT_SIZE;
 		crypto_instance->sec_salt_size = SALT_SIZE;
 		crypto_instance->sec_block_size = block_size;
 	}

libknet/crypto_openssl.c

@@ -566,20 +566,15 @@ static int opensslcrypto_init(
 	memmove(opensslcrypto_instance->private_key, knet_handle_crypto_cfg->private_key, knet_handle_crypto_cfg->private_key_len);
 	opensslcrypto_instance->private_key_len = knet_handle_crypto_cfg->private_key_len;
 
-	crypto_instance->sec_header_size = 0;
-
 	if (opensslcrypto_instance->crypto_hash_type) {
 		crypto_instance->sec_hash_size = EVP_MD_size(opensslcrypto_instance->crypto_hash_type);
-		crypto_instance->sec_header_size += crypto_instance->sec_hash_size;
 	}
 
 	if (opensslcrypto_instance->crypto_cipher_type) {
 		size_t block_size;
 
 		block_size = EVP_CIPHER_block_size(opensslcrypto_instance->crypto_cipher_type);
 
-		crypto_instance->sec_header_size += (block_size * 2);
-		crypto_instance->sec_header_size += SALT_SIZE;
 		crypto_instance->sec_salt_size = SALT_SIZE;
 		crypto_instance->sec_block_size = block_size;
 	}

libknet/handle.c

@@ -1174,16 +1174,57 @@ int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled)
 		return -1;
 	}
 
-	knet_h->enabled = enabled;
-
 	if (enabled) {
+		knet_h->enabled = enabled;
 		log_debug(knet_h, KNET_SUB_HANDLE, "Data forwarding is enabled");
 	} else {
-		log_debug(knet_h, KNET_SUB_HANDLE, "Data forwarding is disabled");
+		/*
+		 * notify TX and RX threads to flush the queues
+		 */
+		if (set_thread_flush_queue(knet_h, KNET_THREAD_TX, KNET_THREAD_QUEUE_FLUSH) < 0) {
+			log_debug(knet_h, KNET_SUB_HANDLE, "Unable to request queue flushing for TX thread");
+		}
+		if (set_thread_flush_queue(knet_h, KNET_THREAD_RX, KNET_THREAD_QUEUE_FLUSH) < 0) {
+			log_debug(knet_h, KNET_SUB_HANDLE, "Unable to request queue flushing for RX thread");
+		}
 	}
 
 	pthread_rwlock_unlock(&knet_h->global_rwlock);
 
+	/*
+	 * when disabling data forward, we need to give time to TX and RX
+	 * to flush the queues.
+	 *
+	 * the TX thread is the main leader here. When there is no more
+	 * data in the TX queue, we will also close traffic for RX.
+	 */
+	if (!enabled) {
+		/*
+		 * this usleep might be unnecessary, but wait_all_threads_flush_queue
+		 * adds extra locking delay.
+		 *
+		 * allow all threads to run free without extra locking interference
+		 * and then we switch to a more active wait in case the scheduler
+		 * has decided to delay one thread or another
+		 */
+		usleep(KNET_THREADS_TIMERES * 2);
+		wait_all_threads_flush_queue(knet_h);
+
+		/*
+		 * all threads have done flushing the queue, we can stop data forwarding
+		 */
+		savederrno = get_global_wrlock(knet_h);
+		if (savederrno) {
+			log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+				strerror(savederrno));
+			errno = savederrno;
+			return -1;
+		}
+		knet_h->enabled = enabled;
+		log_debug(knet_h, KNET_SUB_HANDLE, "Data forwarding is disabled");
+		pthread_rwlock_unlock(&knet_h->global_rwlock);
+	}
+
 	errno = 0;
 	return 0;
 }
@@ -1320,6 +1361,41 @@ int knet_handle_enable_pmtud_notify(knet_handle_t knet_h,
 	return 0;
 }
 
+int knet_handle_pmtud_set(knet_handle_t knet_h,
+			  unsigned int iface_mtu)
+{
+	int savederrno = 0;
+
+	if (!knet_h) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (iface_mtu > KNET_PMTUD_SIZE_V4) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	savederrno = pthread_rwlock_rdlock(&knet_h->global_rwlock);
+	if (savederrno) {
+		log_err(knet_h, KNET_SUB_PMTUD, "Unable to get read lock: %s",
+			strerror(savederrno));
+		errno = savederrno;
+		return -1;
+	}
+
+	log_info(knet_h, KNET_SUB_PMTUD, "MTU manually set to: %u", iface_mtu);
+
+	knet_h->manual_mtu = iface_mtu;
+
+	force_pmtud_run(knet_h, KNET_SUB_PMTUD, 0);
+
+	pthread_rwlock_unlock(&knet_h->global_rwlock);
+
+	errno = 0;
+	return 0;
+}
+
 int knet_handle_pmtud_get(knet_handle_t knet_h,
 			  unsigned int *data_mtu)
 {

libknet/internals.h

@@ -71,13 +71,16 @@ struct knet_link {
 	uint8_t received_pong;
 	struct timespec ping_last;
 	/* used by PMTUD thread as temp per-link variables and should always contain the onwire_len value! */
-	uint32_t proto_overhead;
+	uint32_t proto_overhead;		/* IP + UDP/SCTP overhead. NOT to be confused
+						   with stats.proto_overhead that includes also knet headers
+						   and crypto headers */
 	struct timespec pmtud_last;
 	uint32_t last_ping_size;
 	uint32_t last_good_mtu;
 	uint32_t last_bad_mtu;
 	uint32_t last_sent_mtu;
 	uint32_t last_recv_mtu;
+	uint32_t pmtud_crypto_timeout_multiplier;/* used by PMTUd to adjust timeouts on high loads */
 	uint8_t has_valid_mtu;
 };
 
@@ -161,6 +164,7 @@ struct knet_handle {
 	int dst_link_handler_epollfd;
 	uint8_t use_access_lists; /* set to 0 for disable, 1 for enable */
 	unsigned int pmtud_interval;
+	unsigned int manual_mtu;
 	unsigned int data_mtu;	/* contains the max data size that we can send onwire
 				 * without frags */
 	struct knet_host *host_head;
@@ -178,6 +182,7 @@ struct knet_handle {
 	struct knet_header *pingbuf;
 	struct knet_header *pmtudbuf;
 	uint8_t threads_status[KNET_THREAD_MAX];
+	uint8_t threads_flush_queue[KNET_THREAD_MAX];
 	pthread_mutex_t threads_status_mutex;
 	pthread_t send_to_links_thread;
 	pthread_t recv_from_links_thread;
@@ -197,7 +202,6 @@ struct knet_handle {
 	int pmtud_forcerun;
 	int pmtud_abort;
 	struct crypto_instance *crypto_instance;
-	size_t sec_header_size;
 	size_t sec_block_size;
 	size_t sec_hash_size;
 	size_t sec_salt_size;

libknet/libknet.h

@@ -614,6 +614,32 @@ int knet_handle_enable_pmtud_notify(knet_handle_t knet_h,
 						void *private_data,
 						unsigned int data_mtu));
 
+/**
+ * knet_handle_pmtud_set
+ *
+ * @brief Set the current interface MTU
+ *
+ * knet_h    - pointer to knet_handle_t
+ *
+ * iface_mtu - current interface MTU, value 0 to 65535. 0 will
+ *             re-enable automatic MTU discovery.
+ *             In a setup with multiple interfaces, please specify
+ *             the lowest MTU between the selected intefaces.
+ *             knet will automatically adjust this value for
+ *             all headers overhead and set the correct data_mtu.
+ *             data_mtu can be retrivied with knet_handle_pmtud_get(3)
+ *             or applications will receive a pmtud_nofity event
+ *             if enabled via knet_handle_enable_pmtud_notify(3).
+ *
+ * @return
+ * knet_handle_pmtud_set returns
+ * 0 on success
+ * -1 on error and errno is set.
+ */
+
+int knet_handle_pmtud_set(knet_handle_t knet_h,
+			  unsigned int iface_mtu);
+
 /**
  * knet_handle_pmtud_get
  *