TS-4882: Implement TCP Fast Open for server sockets.

Add TCP Fast Open support to the proxy.config.net.sock_option_flag_out
configuration option.

Implement detection of TFO support in SocketManager and use that
to guarantee that we don't try to use TFO on hosts where is is not
supported or enabled.

Add TFO support to both SSLNetVConnection and UnixNetVConnection,
enabling it if the corresponding NetVCOption is set. We only enable
TFO on server sessions that are going to do TLS or are handling
idempotent HTTP methods.

Author: jpeach

doc/admin-guide/files/records.config.en.rst

@@ -3405,13 +3405,19 @@ Sockets
         TCP_NODELAY  (1)
         SO_KEEPALIVE (2)
         SO_LINGER (4) - with a timeout of 0 seconds
+        TCP_FASTOPEN (8)
 
 .. note::
 
    This is a bitmask and you need to decide what bits to set.  Therefore,
    you must set the value to ``3`` if you want to enable nodelay and
    keepalive options above.
 
+.. note::
+
+   To allow TCP Fast Open for client sockets on Linux, bit 2 of
+   the ``net.ipv4.tcp_fastopen`` sysctl must be set.
+
 .. ts:cv:: CONFIG proxy.config.net.sock_send_buffer_size_out INT 0
    :overridable:
 
@@ -3431,6 +3437,7 @@ Sockets
         TCP_NODELAY  (1)
         SO_KEEPALIVE (2)
         SO_LINGER (4) - with a timeout of 0 seconds
+        TCP_FASTOPEN (8)
 
 .. note::
 
@@ -3443,6 +3450,11 @@ Sockets
    are co-located and large numbers of sockets are retained
    in the TIME_WAIT state.
 
+.. note::
+
+   To allow TCP Fast Open for server sockets on Linux, bit 1 of
+   the ``net.ipv4.tcp_fastopen`` sysctl must be set.
+
 .. ts:cv:: CONFIG proxy.config.net.sock_mss_in INT 0
 
    Same as the command line option ``--accept_mss`` that sets the MSS for all incoming requests.

iocore/eventsystem/I_SocketManager.h

@@ -45,6 +45,14 @@
 #define SOCK_CLOEXEC O_CLOEXEC
 #endif
 
+#ifndef MSG_FASTOPEN
+#if defined(linux)
+#define MSG_FASTOPEN 0x20000000
+#else
+#define MSG_FASTOPEN 0
+#endif
+#endif
+
 #define DEFAULT_OPEN_MODE 0644
 
 class Thread;
@@ -57,6 +65,9 @@ extern int net_config_poll_timeout;
 struct SocketManager {
   SocketManager();
 
+  // Test whether TCP Fast Open is supported on this host.
+  static bool fastopen_supported();
+
   // result is the socket or -errno
   SOCKET socket(int domain = AF_INET, int type = SOCK_STREAM, int protocol = 0);
   SOCKET mc_socket(int domain = AF_INET, int type = SOCK_DGRAM, int protocol = 0, bool bNonBlocking = true);
@@ -89,23 +100,27 @@ struct SocketManager {
   int ftruncate(int fildes, off_t length);
   int lockf(int fildes, int function, off_t size);
   int poll(struct pollfd *fds, unsigned long nfds, int timeout);
+
 #if TS_USE_EPOLL
   int epoll_create(int size);
   int epoll_close(int eps);
   int epoll_ctl(int epfd, int op, int fd, struct epoll_event *event);
   int epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout = net_config_poll_timeout);
 #endif
+
 #if TS_USE_KQUEUE
   int kqueue();
   int kevent(int kq, const struct kevent *changelist, int nchanges, struct kevent *eventlist, int nevents,
              const struct timespec *timeout);
 #endif
+
 #if TS_USE_PORT
   int port_create();
   int port_associate(int port, int fd, uintptr_t obj, int events, void *user);
   int port_dissociate(int port, int fd, uintptr_t obj);
   int port_getn(int port, port_event_t *list, uint_t max, uint_t *nget, timespec_t *timeout);
 #endif
+
   int shutdown(int s, int how);
   int dup(int s);
 

iocore/eventsystem/SocketManager.cc

@@ -28,6 +28,9 @@
 #include "ts/ink_platform.h"
 #include "P_EventSystem.h"
 
+#include "ts/TextBuffer.h"
+#include "ts/TestBox.h"
+
 SocketManager socketManager;
 
 #if !HAVE_ACCEPT4
@@ -108,3 +111,36 @@ SocketManager::close(int s)
   } while (res == -EINTR);
   return res;
 }
+
+bool
+SocketManager::fastopen_supported()
+{
+  static const unsigned TFO_CLIENT_ENABLE = 1;
+
+  ats_scoped_fd fd(::open("/proc/sys/net/ipv4/tcp_fastopen", O_RDONLY));
+  int value = 0;
+
+  if (fd) {
+    textBuffer buffer(16);
+
+    buffer.slurp(fd.get());
+    value = atoi(buffer.bufPtr());
+  }
+
+  return value & TFO_CLIENT_ENABLE;
+}
+
+REGRESSION_TEST(socket_fastopen)(RegressionTest *test, int level, int *pstatus)
+{
+  TestBox box(test, pstatus);
+
+  box = REGRESSION_TEST_PASSED;
+
+  if (SocketManager::fastopen_supported()) {
+    box.check(MSG_FASTOPEN != 0, "TCP Fast Open is supported, MSG_FASTOPEN must not be 0");
+  }
+
+  if (::access("/proc/sys/net/ipv4/tcp_fastopen", F_OK) == 0) {
+    box.check(MSG_FASTOPEN != 0, "TCP Fast Open is available, MSG_FASTOPEN must not be 0");
+  }
+}

iocore/net/BIO_fastopen.cc

@@ -0,0 +1,162 @@
+/** @file
+ *
+ *  OpenSSL socket BIO that does TCP Fast Open.
+ *
+ *  @section license License
+ *
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#include "I_Net.h"
+#include "I_SocketManager.h"
+#include "ts/ink_assert.h"
+
+#include "BIO_fastopen.h"
+
+static int
+fastopen_create(BIO *bio)
+{
+  bio->init  = 0;
+  bio->num   = NO_FD;
+  bio->flags = 0;
+  bio->ptr   = NULL;
+
+  return 1;
+}
+
+static int
+fastopen_destroy(BIO *bio)
+{
+  if (bio) {
+    // We expect this BIO to not own the socket, so we must always
+    // be in NOCLOSE mode.
+    ink_assert(bio->shutdown == BIO_NOCLOSE);
+    fastopen_create(bio);
+  }
+
+  return 1;
+}
+
+static int
+fastopen_bwrite(BIO *bio, const char *in, int insz)
+{
+  int64_t err;
+
+  errno = 0;
+  BIO_clear_retry_flags(bio);
+  ink_assert(bio->num != NO_FD);
+
+  if (bio->ptr) {
+    // On the first write only, make a TFO request if TFO is enabled.
+    // The best documentation on the behavior of the Linux API is in
+    // RFC 7413. If we get EINPROGRESS it means that the SYN has been
+    // sent without data dn we sshould retry.
+    const sockaddr *dst = reinterpret_cast<const sockaddr *>(bio->ptr);
+
+    err = socketManager.sendto(bio->num, (void *)in, insz, MSG_FASTOPEN, dst, ats_ip_size(dst));
+
+    bio->ptr = NULL;
+  } else {
+    err = socketManager.write(bio->num, (void *)in, insz);
+  }
+
+  if (err < 0) {
+    errno = -err;
+    if (BIO_sock_non_fatal_error(errno)) {
+      BIO_set_retry_write(bio);
+    }
+  }
+
+  return err < 0 ? -1 : err;
+}
+
+static int
+fastopen_bread(BIO *bio, char *out, int outsz)
+{
+  int64_t err;
+
+  errno = 0;
+  BIO_clear_retry_flags(bio);
+  ink_assert(bio->num != NO_FD);
+
+  // TODO: If we haven't done the fastopen, ink_abort().
+
+  err = socketManager.read(bio->num, out, outsz);
+  if (err < 0) {
+    errno = -err;
+    if (BIO_sock_non_fatal_error(errno)) {
+      BIO_set_retry_write(bio);
+    }
+  }
+
+  return err < 0 ? -1 : err;
+}
+
+static long
+fastopen_ctrl(BIO *bio, int cmd, long larg, void *ptr)
+{
+  switch (cmd) {
+  case BIO_C_SET_FD:
+    ink_assert(larg == BIO_CLOSE || larg == BIO_NOCLOSE);
+    ink_assert(bio->num == NO_FD);
+
+    bio->init     = 1;
+    bio->shutdown = larg;
+    bio->num      = *reinterpret_cast<int *>(ptr);
+    return 0;
+
+  case BIO_C_SET_CONNECT:
+    // We only support BIO_set_conn_address(), which sets a sockaddr.
+    ink_assert(larg == 2);
+    bio->ptr = ptr;
+    return 0;
+
+  // We are unbuffered so unconditionally succeed on BIO_flush().
+  case BIO_CTRL_FLUSH:
+    return 1;
+
+  case BIO_CTRL_PUSH:
+  case BIO_CTRL_POP:
+    return 0;
+
+  default:
+#if DEBUG
+    ink_abort("unsupported BIO control cmd=%d larg=%ld ptr=%p", cmd, larg, ptr);
+#endif
+
+    return 0;
+  }
+}
+
+static const BIO_METHOD fastopen_methods = {
+  .type          = BIO_TYPE_SOCKET,
+  .name          = "fastopen",
+  .bwrite        = fastopen_bwrite,
+  .bread         = fastopen_bread,
+  .bputs         = NULL,
+  .bgets         = NULL,
+  .ctrl          = fastopen_ctrl,
+  .create        = fastopen_create,
+  .destroy       = fastopen_destroy,
+  .callback_ctrl = NULL,
+};
+
+const BIO_METHOD *
+BIO_s_fastopen()
+{
+  return &fastopen_methods;
+}

iocore/net/BIO_fastopen.h

@@ -0,0 +1,38 @@
+/** @file
+ *
+ *  OpenSSL socket BIO that does TCP Fast Open.
+ *
+ *  @section license License
+ *
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef BIO_FASTOPEN_H_DA87E080_DB75_4C9C_959A_40243592D454
+#define BIO_FASTOPEN_H_DA87E080_DB75_4C9C_959A_40243592D454
+
+#include <openssl/bio.h>
+
+// Return a BIO_METHOD for a socket BIO that implements TCP Fast Open.
+const BIO_METHOD *BIO_s_fastopen();
+
+// OpenSSL 1.0.2h has BIO_set_conn_ip(), but master has BIO_set_conn_address(). Use
+// the API from master since it makes more sense.
+#if !defined(BIO_set_conn_address)
+#define BIO_set_conn_address(b, addr) BIO_ctrl(b, BIO_C_SET_CONNECT, 2, (char *)addr)
+#endif
+
+#endif /* BIO_FASTOPEN_H_DA87E080_DB75_4C9C_959A_40243592D454 */

iocore/net/I_NetVConnection.h

@@ -142,6 +142,9 @@ struct NetVCOptions {
   /// Make socket block on connect (default: @c false)
   bool f_blocking_connect;
 
+  // Use TCP Fast Open on this socket. The connect(2) call will be omitted.
+  bool f_tcp_fastopen = false;
+
   /// Control use of SOCKS.
   /// Set to @c NO_SOCKS to disable use of SOCKS. Otherwise SOCKS is
   /// used if available.

iocore/net/Makefile.am

@@ -50,6 +50,8 @@ test_certlookup_LDADD = \
   $(top_builddir)/iocore/eventsystem/libinkevent.a
 
 libinknet_a_SOURCES = \
+  BIO_fastopen.cc \
+  BIO_fastopen.h \
   Connection.cc \
   I_Net.h \
   I_NetProcessor.h \

iocore/net/SSLNetVConnection.cc

@@ -28,6 +28,7 @@
 #include "P_SSLUtils.h"
 #include "InkAPIInternal.h" // Added to include the ssl_hook definitions
 #include "P_SSLConfig.h"
+#include "BIO_fastopen.h"
 #include "Log.h"
 
 #include <climits>
@@ -143,7 +144,14 @@ make_ssl_connection(SSL_CTX *ctx, SSLNetVConnection *netvc)
 
     // Only set up the bio stuff for the server side
     if (netvc->get_context() == NET_VCONNECTION_OUT) {
-      SSL_set_fd(ssl, netvc->get_socket());
+      BIO *bio = BIO_new(const_cast<BIO_METHOD *>(BIO_s_fastopen()));
+      BIO_set_fd(bio, netvc->get_socket(), BIO_NOCLOSE);
+
+      if (netvc->options.f_tcp_fastopen) {
+        BIO_set_conn_address(bio, netvc->get_remote_addr());
+      }
+
+      SSL_set_bio(ssl, bio, bio);
     } else {
       netvc->initialize_handshake_buffers();
       BIO *rbio = BIO_new(BIO_s_mem());