tls: cleanup engine hs cb and improve ctx formatting

Handshake completion is now tracked via a ctx flag so we no longer need ctx_handshake_is_over. Also, as we no longer prealloc application sessions, improve ctx state formatting. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If48588ecde13e56fb99d1a46238bda53ed4eae1b
author: Florin Coras <fcoras@cisco.com> 2023-10-17 11:59:49 -0700
committer: Dave Barach <vpp@barachs.net> 2024-09-26 20:44:34 +0000
commit: d0e8bd75f6371d09f31f48ffaf5843dce86ca8e6 (patch)
tree: 60afbb7769d3c4abce413d5055387ef031c975d5 /src
parent: 2193fd06492ee0f9a8c9b89fe665ecbc4d50cefe (diff)
6 files changed, 24 insertions, 54 deletions
diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c
index af04f1adeb0..2f4757e28a1 100644
--- a/src/plugins/tlsmbedtls/tls_mbedtls.c
+++ b/src/plugins/tlsmbedtls/tls_mbedtls.c
@@ -396,6 +396,8 @@ mbedtls_ctx_handshake_rx (tls_ctx_t * ctx)
   if (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
     return 0;
 
+  ctx->flags |= TLS_CONN_F_HS_DONE;
+
   /*
    * Handshake complete
    */
@@ -532,17 +534,10 @@ mbedtls_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
   return enq;
 }
 
-static u8
-mbedtls_handshake_is_over (tls_ctx_t * ctx)
-{
-  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
-  return (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
-}
-
 static int
 mbedtls_transport_close (tls_ctx_t * ctx)
 {
-  if (!mbedtls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
     {
       session_close (session_get_from_handle (ctx->tls_session_handle));
       return 0;
@@ -554,7 +549,7 @@ mbedtls_transport_close (tls_ctx_t * ctx)
 static int
 mbedtls_transport_reset (tls_ctx_t *ctx)
 {
-  if (!mbedtls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
     {
       session_close (session_get_from_handle (ctx->tls_session_handle));
       return 0;
@@ -590,7 +585,6 @@ const static tls_engine_vft_t mbedtls_engine = {
   .ctx_init_client = mbedtls_ctx_init_client,
   .ctx_write = mbedtls_ctx_write,
   .ctx_read = mbedtls_ctx_read,
-  .ctx_handshake_is_over = mbedtls_handshake_is_over,
   .ctx_start_listen = mbedtls_start_listen,
   .ctx_stop_listen = mbedtls_stop_listen,
   .ctx_transport_close = mbedtls_transport_close,
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 19aae3ffadc..c8e685f20c5 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -1037,15 +1037,6 @@ openssl_ctx_init_server (tls_ctx_t * ctx)
   return 0;
 }
 
-static u8
-openssl_handshake_is_over (tls_ctx_t * ctx)
-{
-  openssl_ctx_t *mc = (openssl_ctx_t *) ctx;
-  if (!mc->ssl)
-    return 0;
-  return SSL_is_init_finished (mc->ssl);
-}
-
 static int
 openssl_transport_close (tls_ctx_t * ctx)
 {
@@ -1054,7 +1045,7 @@ openssl_transport_close (tls_ctx_t * ctx)
     return 0;
 #endif
 
-  if (!openssl_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
     {
       openssl_handle_handshake_failure (ctx);
       return 0;
@@ -1066,7 +1057,7 @@ openssl_transport_close (tls_ctx_t * ctx)
 static int
 openssl_transport_reset (tls_ctx_t *ctx)
 {
-  if (!openssl_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
     {
       openssl_handle_handshake_failure (ctx);
       return 0;
@@ -1166,7 +1157,6 @@ const static tls_engine_vft_t openssl_engine = {
   .ctx_init_client = openssl_ctx_init_client,
   .ctx_write = openssl_ctx_write,
   .ctx_read = openssl_ctx_read,
-  .ctx_handshake_is_over = openssl_handshake_is_over,
   .ctx_start_listen = openssl_start_listen,
   .ctx_stop_listen = openssl_stop_listen,
   .ctx_transport_close = openssl_transport_close,
diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c
index 7375b928206..9459cb776b5 100644
--- a/src/plugins/tlspicotls/tls_picotls.c
+++ b/src/plugins/tlspicotls/tls_picotls.c
@@ -88,14 +88,6 @@ picotls_lctx_get (u32 lctx_index)
   return pool_elt_at_index (picotls_main.lctx_pool, lctx_index);
 }
 
-static u8
-picotls_handshake_is_over (tls_ctx_t * ctx)
-{
-  picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
-  assert (ptls_ctx->tls);
-  return ptls_handshake_is_complete (ptls_ctx->tls);
-}
-
 static int
 picotls_try_handshake_write (picotls_ctx_t * ptls_ctx,
 			     session_t * tls_session, ptls_buffer_t * buf)
@@ -194,7 +186,7 @@ picotls_confirm_app_close (tls_ctx_t * ctx)
 static int
 picotls_transport_close (tls_ctx_t * ctx)
 {
-  if (!picotls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
     {
       picotls_handle_handshake_failure (ctx);
       return 0;
@@ -206,7 +198,7 @@ picotls_transport_close (tls_ctx_t * ctx)
 static int
 picotls_transport_reset (tls_ctx_t *ctx)
 {
-  if (!picotls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
     {
       picotls_handle_handshake_failure (ctx);
       return 0;
@@ -435,7 +427,7 @@ picotls_ctx_read (tls_ctx_t *ctx, session_t *tcp_session)
   if (PREDICT_FALSE (!ptls_handshake_is_complete (ptls_ctx->tls)))
     {
       picotls_do_handshake (ptls_ctx, tcp_session);
-      if (picotls_handshake_is_over (ctx))
+      if (ctx->flags & TLS_CONN_F_HS_DONE)
 	{
 	  if (ptls_is_server (ptls_ctx->tls))
 	    {
@@ -750,7 +742,6 @@ const static tls_engine_vft_t picotls_engine = {
   .ctx_free = picotls_ctx_free,
   .ctx_get = picotls_ctx_get,
   .ctx_get_w_thread = picotls_ctx_get_w_thread,
-  .ctx_handshake_is_over = picotls_handshake_is_over,
   .ctx_start_listen = picotls_start_listen,
   .ctx_stop_listen = picotls_stop_listen,
   .ctx_init_server = picotls_ctx_init_server,
diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index 9ca3a91af29..8754b67ca31 100644
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -310,7 +310,7 @@ send_reply:
 void
 tls_notify_app_io_error (tls_ctx_t *ctx)
 {
-  ASSERT (tls_ctx_handshake_is_over (ctx));
+  ASSERT (ctx->flags & TLS_CONN_F_HS_DONE);
 
   session_transport_reset_notify (&ctx->connection);
   session_transport_closed_notify (&ctx->connection);
@@ -926,24 +926,26 @@ static u8 *
 format_tls_ctx_state (u8 * s, va_list * args)
 {
   tls_ctx_t *ctx;
-  session_t *ts;
+  session_t *as;
 
   ctx = va_arg (*args, tls_ctx_t *);
-  ts = session_get (ctx->c_s_index, ctx->c_thread_index);
-  if (ts->session_state == SESSION_STATE_LISTENING)
+  as = session_get (ctx->c_s_index, ctx->c_thread_index);
+  if (as->session_state == SESSION_STATE_LISTENING)
     s = format (s, "%s", "LISTEN");
   else
     {
-      if (ts->session_state >= SESSION_STATE_TRANSPORT_CLOSED)
+      if (as->session_state == SESSION_STATE_READY)
+	s = format (s, "%s", "ESTABLISHED");
+      else if (as->session_state == SESSION_STATE_ACCEPTING)
+	s = format (s, "%s", "ACCEPTING");
+      else if (as->session_state == SESSION_STATE_CONNECTING)
+	s = format (s, "%s", "CONNECTING");
+      else if (as->session_state >= SESSION_STATE_TRANSPORT_CLOSED)
 	s = format (s, "%s", "CLOSED");
-      else if (ts->session_state == SESSION_STATE_APP_CLOSED)
-	s = format (s, "%s", "APP-CLOSED");
-      else if (ts->session_state >= SESSION_STATE_TRANSPORT_CLOSING)
+      else if (as->session_state >= SESSION_STATE_TRANSPORT_CLOSING)
 	s = format (s, "%s", "CLOSING");
-      else if (tls_ctx_handshake_is_over (ctx))
-	s = format (s, "%s", "ESTABLISHED");
       else
-	s = format (s, "%s", "HANDSHAKE");
+	s = format (s, "UNHANDLED %u", as->session_state);
     }
 
   return s;
diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h
index 30bcce005fb..e56c4c079ac 100644
--- a/src/vnet/tls/tls.h
+++ b/src/vnet/tls/tls.h
@@ -142,9 +142,8 @@ typedef struct tls_engine_vft_
   int (*ctx_init_client) (tls_ctx_t * ctx);
   int (*ctx_init_server) (tls_ctx_t * ctx);
   int (*ctx_read) (tls_ctx_t * ctx, session_t * tls_session);
-  int (*ctx_write) (tls_ctx_t * ctx, session_t * app_session,
-		    transport_send_params_t * sp);
-    u8 (*ctx_handshake_is_over) (tls_ctx_t * ctx);
+  int (*ctx_write) (tls_ctx_t *ctx, session_t *app_session,
+		    transport_send_params_t *sp);
   int (*ctx_start_listen) (tls_ctx_t * ctx);
   int (*ctx_stop_listen) (tls_ctx_t * ctx);
   int (*ctx_transport_close) (tls_ctx_t * ctx);
diff --git a/src/vnet/tls/tls_inlines.h b/src/vnet/tls/tls_inlines.h
index 18002730a30..3e3f59fcf51 100644
--- a/src/vnet/tls/tls_inlines.h
+++ b/src/vnet/tls/tls_inlines.h
@@ -114,12 +114,6 @@ tls_ctx_app_close (tls_ctx_t *ctx)
   return tls_vfts[ctx->tls_ctx_engine].ctx_app_close (ctx);
 }
 
-static inline u8
-tls_ctx_handshake_is_over (tls_ctx_t *ctx)
-{
-  return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx);
-}
-
 static inline int
 tls_reinit_ca_chain (crypto_engine_type_t tls_engine_id)
 {
author	Florin Coras <fcoras@cisco.com>	2023-10-17 11:59:49 -0700
committer	Dave Barach <vpp@barachs.net>	2024-09-26 20:44:34 +0000
commit	d0e8bd75f6371d09f31f48ffaf5843dce86ca8e6 (patch)
tree	60afbb7769d3c4abce413d5055387ef031c975d5 /src
parent	2193fd06492ee0f9a8c9b89fe665ecbc4d50cefe (diff)