diff options
author | Florin Coras <fcoras@cisco.com> | 2024-03-13 22:03:33 -0700 |
---|---|---|
committer | Dave Barach <vpp@barachs.net> | 2024-03-18 19:20:38 +0000 |
commit | ac60efd523dbbda3952bf4052a5fbeda7cac0a60 (patch) | |
tree | 5e0c5634f32b048ba928136af250956bcf20b324 /src | |
parent | dc4d21e9ce78a77caa7abfe997021cd735863e0f (diff) |
tls: handle attepts to renegotiate hs
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I549d0c8715e5c06bfc22be26ca1dc78ec3c29a61
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 14 | ||||
-rw-r--r-- | src/plugins/tlspicotls/tls_picotls.c | 1 | ||||
-rw-r--r-- | src/vnet/tls/tls.h | 3 |
3 files changed, 16 insertions, 2 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 87674337807..75e58f6579a 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -265,6 +265,14 @@ openssl_handle_handshake_failure (tls_ctx_t * ctx) { session_t *app_session; + /* Failed to renegotiate handshake */ + if (ctx->flags & TLS_CONN_F_HS_DONE) + { + tls_notify_app_io_error (ctx); + tls_disconnect_transport (ctx); + return; + } + if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl)) { /* @@ -334,6 +342,10 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session) if (SSL_in_init (oc->ssl)) return -1; + /* Renegotiated handshake, app must not be notified */ + if (PREDICT_FALSE (ctx->flags & TLS_CONN_F_HS_DONE)) + return 0; + /* * Handshake complete */ @@ -379,7 +391,7 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session) return -1; } } - + ctx->flags |= TLS_CONN_F_HS_DONE; TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s", oc->openssl_ctx_index, SSL_get_cipher (oc->ssl)); return rv; diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c index 88b99a48aa1..81c4b2ecf57 100644 --- a/src/plugins/tlspicotls/tls_picotls.c +++ b/src/plugins/tlspicotls/tls_picotls.c @@ -453,6 +453,7 @@ picotls_ctx_read (tls_ctx_t *ctx, session_t *tcp_session) } } + ctx->flags |= TLS_CONN_F_HS_DONE; if (!svm_fifo_max_dequeue (tcp_session->rx_fifo)) return 0; } diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h index 528cdad703b..6bd1371b984 100644 --- a/src/vnet/tls/tls.h +++ b/src/vnet/tls/tls.h @@ -61,7 +61,8 @@ STATIC_ASSERT (sizeof (tls_ctx_id_t) <= TRANSPORT_CONN_ID_LEN, _ (APP_CLOSED, "app-closed") \ _ (MIGRATED, "migrated") \ _ (NO_APP_SESSION, "no-app-session") \ - _ (RESUME, "resume") + _ (RESUME, "resume") \ + _ (HS_DONE, "handshake-done") typedef enum tls_conn_flags_bit_ { |