summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2024-03-13 22:03:33 -0700
committerDave Barach <vpp@barachs.net>2024-03-18 19:20:38 +0000
commitac60efd523dbbda3952bf4052a5fbeda7cac0a60 (patch)
tree5e0c5634f32b048ba928136af250956bcf20b324
parentdc4d21e9ce78a77caa7abfe997021cd735863e0f (diff)
tls: handle attepts to renegotiate hs
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I549d0c8715e5c06bfc22be26ca1dc78ec3c29a61
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.c14
-rw-r--r--src/plugins/tlspicotls/tls_picotls.c1
-rw-r--r--src/vnet/tls/tls.h3
3 files changed, 16 insertions, 2 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 87674337807..75e58f6579a 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -265,6 +265,14 @@ openssl_handle_handshake_failure (tls_ctx_t * ctx)
{
session_t *app_session;
+ /* Failed to renegotiate handshake */
+ if (ctx->flags & TLS_CONN_F_HS_DONE)
+ {
+ tls_notify_app_io_error (ctx);
+ tls_disconnect_transport (ctx);
+ return;
+ }
+
if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
{
/*
@@ -334,6 +342,10 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
if (SSL_in_init (oc->ssl))
return -1;
+ /* Renegotiated handshake, app must not be notified */
+ if (PREDICT_FALSE (ctx->flags & TLS_CONN_F_HS_DONE))
+ return 0;
+
/*
* Handshake complete
*/
@@ -379,7 +391,7 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
return -1;
}
}
-
+ ctx->flags |= TLS_CONN_F_HS_DONE;
TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s",
oc->openssl_ctx_index, SSL_get_cipher (oc->ssl));
return rv;
diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c
index 88b99a48aa1..81c4b2ecf57 100644
--- a/src/plugins/tlspicotls/tls_picotls.c
+++ b/src/plugins/tlspicotls/tls_picotls.c
@@ -453,6 +453,7 @@ picotls_ctx_read (tls_ctx_t *ctx, session_t *tcp_session)
}
}
+ ctx->flags |= TLS_CONN_F_HS_DONE;
if (!svm_fifo_max_dequeue (tcp_session->rx_fifo))
return 0;
}
diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h
index 528cdad703b..6bd1371b984 100644
--- a/src/vnet/tls/tls.h
+++ b/src/vnet/tls/tls.h
@@ -61,7 +61,8 @@ STATIC_ASSERT (sizeof (tls_ctx_id_t) <= TRANSPORT_CONN_ID_LEN,
_ (APP_CLOSED, "app-closed") \
_ (MIGRATED, "migrated") \
_ (NO_APP_SESSION, "no-app-session") \
- _ (RESUME, "resume")
+ _ (RESUME, "resume") \
+ _ (HS_DONE, "handshake-done")
typedef enum tls_conn_flags_bit_
{