From 837826169fd51c1d2bb7703e479447f5d4ffa9a5 Mon Sep 17 00:00:00 2001 From: Yu Ping Date: Wed, 19 Feb 2020 02:31:22 +0800 Subject: tls: handle disconect and reset in async mode Type: fix When async is enabled and request is inflight, delay close oepration Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943 Signed-off-by: Yu Ping --- src/plugins/tlsopenssl/tls_async.c | 22 ++++++++++++++++------ src/plugins/tlsopenssl/tls_openssl.c | 26 +++++++++++++++++++++----- src/plugins/tlsopenssl/tls_openssl.h | 1 + src/vnet/tls/tls.c | 13 ++++++++++--- 4 files changed, 48 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/plugins/tlsopenssl/tls_async.c b/src/plugins/tlsopenssl/tls_async.c index 100a75b3332..86604667eb8 100644 --- a/src/plugins/tlsopenssl/tls_async.c +++ b/src/plugins/tlsopenssl/tls_async.c @@ -303,6 +303,18 @@ vpp_tls_async_init_event (tls_ctx_t * ctx, return 1; } +int +vpp_openssl_is_inflight (tls_ctx_t * ctx) +{ + u32 eidx; + openssl_evt_t *event; + eidx = ctx->evt_index; + event = openssl_evt_get (eidx); + + if (event->status == SSL_ASYNC_INFLIGHT) + return 1; + return 0; +} int vpp_tls_async_update_event (tls_ctx_t * ctx, int eagain) @@ -310,13 +322,11 @@ vpp_tls_async_update_event (tls_ctx_t * ctx, int eagain) u32 eidx; openssl_evt_t *event; + eidx = ctx->evt_index; + event = openssl_evt_get (eidx); + event->status = SSL_ASYNC_INFLIGHT; if (eagain) - { - eidx = ctx->evt_index; - event = openssl_evt_get (eidx); - - return tls_async_openssl_callback (0, &event->cb_args); - } + return tls_async_openssl_callback (0, &event->cb_args); return 1; } diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 8e5e73a6cfb..288f0e1ae1e 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -204,15 +204,22 @@ openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler, static void openssl_handle_handshake_failure (tls_ctx_t * ctx) { + session_t *app_session; + if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl)) { /* * Cleanup pre-allocated app session and close transport */ - session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); - ctx->no_app_session = 1; - ctx->c_s_index = SESSION_INVALID_INDEX; - tls_disconnect_transport (ctx); + app_session = + session_get_if_valid (ctx->c_s_index, ctx->c_thread_index); + if (app_session) + { + session_free (app_session); + ctx->no_app_session = 1; + ctx->c_s_index = SESSION_INVALID_INDEX; + tls_disconnect_transport (ctx); + } } else { @@ -295,7 +302,11 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session) } else { - tls_notify_app_accept (ctx); + /* Need to check transport status */ + if (ctx->is_passive_close) + openssl_handle_handshake_failure (ctx); + else + tls_notify_app_accept (ctx); } TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s", @@ -752,6 +763,11 @@ openssl_handshake_is_over (tls_ctx_t * ctx) static int openssl_transport_close (tls_ctx_t * ctx) { +#ifdef HAVE_OPENSSL_ASYNC + if (vpp_openssl_is_inflight (ctx)) + return 0; +#endif + if (!openssl_handshake_is_over (ctx)) { openssl_handle_handshake_failure (ctx); diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h index f61d986c3b0..5744dcadb3a 100644 --- a/src/plugins/tlsopenssl/tls_openssl.h +++ b/src/plugins/tlsopenssl/tls_openssl.h @@ -68,6 +68,7 @@ int openssl_engine_register (char *engine, char *alg, int async); void openssl_async_node_enable_disable (u8 is_en); clib_error_t *tls_openssl_api_init (vlib_main_t * vm); int tls_openssl_set_ciphers (char *ciphers); +int vpp_openssl_is_inflight (tls_ctx_t * ctx); /* * fd.io coding-style-patch-verification: ON diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index c2616fdde23..257f48cd9ba 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -358,15 +358,22 @@ tls_session_reset_callback (session_t * s) session_t *app_session; ctx = tls_ctx_get (s->opaque); + ctx->is_passive_close = 1; tc = &ctx->connection; if (tls_ctx_handshake_is_over (ctx)) { session_transport_reset_notify (tc); session_transport_closed_notify (tc); + tls_disconnect_transport (ctx); + } + else + if ((app_session = + session_get_if_valid (ctx->c_s_index, ctx->c_thread_index))) + { + session_free (app_session); + ctx->c_s_index = SESSION_INVALID_INDEX; + tls_disconnect_transport (ctx); } - else if ((app_session = session_get (tc->s_index, tc->thread_index))) - session_free (app_session); - tls_disconnect_transport (ctx); } int -- cgit 1.2.3-korg