Code Review
/
vpp.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
tls: handle disconect and reset in async mode
[vpp.git]
/
src
/
plugins
/
tlsopenssl
/
tls_openssl.c
diff --git
a/src/plugins/tlsopenssl/tls_openssl.c
b/src/plugins/tlsopenssl/tls_openssl.c
index
c383cf3
..
288f0e1
100644
(file)
--- a/
src/plugins/tlsopenssl/tls_openssl.c
+++ b/
src/plugins/tlsopenssl/tls_openssl.c
@@
-43,7
+43,7
@@
openssl_ctx_alloc (void)
clib_memset (*ctx, 0, sizeof (openssl_ctx_t));
(*ctx)->ctx.c_thread_index = thread_index;
clib_memset (*ctx, 0, sizeof (openssl_ctx_t));
(*ctx)->ctx.c_thread_index = thread_index;
- (*ctx)->ctx.tls_ctx_engine =
TLS
_ENGINE_OPENSSL;
+ (*ctx)->ctx.tls_ctx_engine =
CRYPTO
_ENGINE_OPENSSL;
(*ctx)->ctx.app_session_handle = SESSION_INVALID_HANDLE;
(*ctx)->openssl_ctx_index = ctx - tm->ctx_pool[thread_index];
return ((*ctx)->openssl_ctx_index);
(*ctx)->ctx.app_session_handle = SESSION_INVALID_HANDLE;
(*ctx)->openssl_ctx_index = ctx - tm->ctx_pool[thread_index];
return ((*ctx)->openssl_ctx_index);
@@
-59,6
+59,9
@@
openssl_ctx_free (tls_ctx_t * ctx)
SSL_free (oc->ssl);
SSL_free (oc->ssl);
+#ifdef HAVE_OPENSSL_ASYNC
+ openssl_evt_free (ctx->evt_index, ctx->c_thread_index);
+#endif
vec_free (ctx->srv_hostname);
pool_put_index (openssl_main.ctx_pool[ctx->c_thread_index],
oc->openssl_ctx_index);
vec_free (ctx->srv_hostname);
pool_put_index (openssl_main.ctx_pool[ctx->c_thread_index],
oc->openssl_ctx_index);
@@
-176,31
+179,23
@@
openssl_try_handshake_write (openssl_ctx_t * oc, session_t * tls_session)
#ifdef HAVE_OPENSSL_ASYNC
static int
#ifdef HAVE_OPENSSL_ASYNC
static int
-
vpp_ssl_async_process_event (tls_ctx_t * ctx
,
-
openssl_resume_handler * handler
)
+
openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler
,
+
session_t * session
)
{
openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
{
openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
-
openssl_tls_callback_t *engine_cb
;
+
int estatus
;
-
engine_cb = vpp_add_async_pending_event (ctx, handler
);
- if (e
ngine_cb
)
+
SSL_get_async_status (oc->ssl, &estatus
);
+ if (e
status == ASYNC_STATUS_EAGAIN
)
{
{
- SSL_set_async_callback_arg (oc->ssl, (void *) engine_cb->arg);
- TLS_DBG (2, "set callback to engine %p\n", engine_cb->callback);
+ vpp_tls_async_update_event (ctx, 1);
+ }
+ else
+ {
+ vpp_tls_async_update_event (ctx, 0);
}
}
- return 0;
-
-}
-
-/* Due to engine busy stat, VPP need to retry later */
-static int
-vpp_ssl_async_retry_func (tls_ctx_t * ctx, openssl_resume_handler * handler)
-{
-
- if (vpp_add_async_run_event (ctx, handler))
- return 1;
- return
0
;
+ return
1
;
}
}
@@
-209,15
+204,22
@@
vpp_ssl_async_retry_func (tls_ctx_t * ctx, openssl_resume_handler * handler)
static void
openssl_handle_handshake_failure (tls_ctx_t * ctx)
{
static void
openssl_handle_handshake_failure (tls_ctx_t * ctx)
{
+ session_t *app_session;
+
if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
{
/*
* Cleanup pre-allocated app session and close transport
*/
if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
{
/*
* Cleanup pre-allocated app session and close transport
*/
- session_free (session_get (ctx->c_s_index, ctx->c_thread_index));
- ctx->no_app_session = 1;
- ctx->c_s_index = SESSION_INVALID_INDEX;
- tls_disconnect_transport (ctx);
+ app_session =
+ session_get_if_valid (ctx->c_s_index, ctx->c_thread_index);
+ if (app_session)
+ {
+ session_free (app_session);
+ ctx->no_app_session = 1;
+ ctx->c_s_index = SESSION_INVALID_INDEX;
+ tls_disconnect_transport (ctx);
+ }
}
else
{
}
else
{
@@
-233,10
+235,6
@@
openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
{
openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
int rv = 0, err;
{
openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
int rv = 0, err;
-#ifdef HAVE_OPENSSL_ASYNC
- int estatus;
- openssl_resume_handler *myself;
-#endif
while (SSL_in_init (oc->ssl))
{
while (SSL_in_init (oc->ssl))
{
@@
-245,18
+243,18
@@
openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
ctx->resume = 0;
}
else if (!openssl_try_handshake_read (oc, tls_session))
ctx->resume = 0;
}
else if (!openssl_try_handshake_read (oc, tls_session))
- {
- break;
- }
-
-#ifdef HAVE_OPENSSL_ASYNC
- myself = openssl_ctx_handshake_rx;
- vpp_ssl_async_process_event (ctx, myself);
-#endif
+ break;
rv = SSL_do_handshake (oc->ssl);
err = SSL_get_error (oc->ssl, rv);
rv = SSL_do_handshake (oc->ssl);
err = SSL_get_error (oc->ssl, rv);
+#ifdef HAVE_OPENSSL_ASYNC
+ if (err == SSL_ERROR_WANT_ASYNC)
+ {
+ openssl_check_async_status (ctx, openssl_ctx_handshake_rx,
+ tls_session);
+ }
+#endif
if (err == SSL_ERROR_SSL)
{
char buf[512];
if (err == SSL_ERROR_SSL)
{
char buf[512];
@@
-268,17
+266,6
@@
openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
}
openssl_try_handshake_write (oc, tls_session);
}
openssl_try_handshake_write (oc, tls_session);
-#ifdef HAVE_OPENSSL_ASYNC
- if (err == SSL_ERROR_WANT_ASYNC)
- {
- SSL_get_async_status (oc->ssl, &estatus);
-
- if (estatus == ASYNC_STATUS_EAGAIN)
- {
- vpp_ssl_async_retry_func (ctx, myself);
- }
- }
-#endif
if (err != SSL_ERROR_WANT_WRITE)
break;
if (err != SSL_ERROR_WANT_WRITE)
break;
@@
-287,7
+274,7
@@
openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
SSL_state_string_long (oc->ssl));
if (SSL_in_init (oc->ssl))
SSL_state_string_long (oc->ssl));
if (SSL_in_init (oc->ssl))
- return
0
;
+ return
-1
;
/*
* Handshake complete
/*
* Handshake complete
@@
-315,7
+302,11
@@
openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
}
else
{
}
else
{
- tls_notify_app_accept (ctx);
+ /* Need to check transport status */
+ if (ctx->is_passive_close)
+ openssl_handle_handshake_failure (ctx);
+ else
+ tls_notify_app_accept (ctx);
}
TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s",
}
TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s",
@@
-424,8
+415,10
@@
openssl_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
if (PREDICT_FALSE (SSL_in_init (oc->ssl)))
{
if (PREDICT_FALSE (SSL_in_init (oc->ssl)))
{
- openssl_ctx_handshake_rx (ctx, tls_session);
- return 0;
+ if (openssl_ctx_handshake_rx (ctx, tls_session) < 0)
+ return 0;
+ else
+ goto check_app_fifo;
}
f = tls_session->rx_fifo;
}
f = tls_session->rx_fifo;
@@
-479,7
+472,7
@@
check_app_fifo:
return wrote;
}
svm_fifo_enqueue_nocopy (f, read);
return wrote;
}
svm_fifo_enqueue_nocopy (f, read);
- if (read < enq_max &&
BIO_ctrl_pending (oc->wbio
) > 0)
+ if (read < enq_max &&
SSL_pending (oc->ssl
) > 0)
{
deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max - read);
read = SSL_read (oc->ssl, svm_fifo_tail (f), deq_now);
{
deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max - read);
read = SSL_read (oc->ssl, svm_fifo_tail (f), deq_now);
@@
-487,8
+480,10
@@
check_app_fifo:
svm_fifo_enqueue_nocopy (f, read);
}
svm_fifo_enqueue_nocopy (f, read);
}
- tls_notify_app_enqueue (ctx, app_session);
- if (BIO_ctrl_pending (oc->wbio) > 0)
+ /* If handshake just completed, session may still be in accepting state */
+ if (app_session->session_state >= SESSION_STATE_READY)
+ tls_notify_app_enqueue (ctx, app_session);
+ if (SSL_pending (oc->ssl) > 0)
tls_add_vpp_q_builtin_rx_evt (tls_session);
return wrote;
tls_add_vpp_q_builtin_rx_evt (tls_session);
return wrote;
@@
-503,9
+498,6
@@
openssl_ctx_init_client (tls_ctx_t * ctx)
session_t *tls_session;
const SSL_METHOD *method;
int rv, err;
session_t *tls_session;
const SSL_METHOD *method;
int rv, err;
-#ifdef HAVE_OPENSSL_ASYNC
- openssl_resume_handler *handler;
-#endif
method = SSLv23_client_method ();
if (method == NULL)
method = SSLv23_client_method ();
if (method == NULL)
@@
-567,6
+559,10
@@
openssl_ctx_init_client (tls_ctx_t * ctx)
oc->openssl_ctx_index);
tls_session = session_get_from_handle (ctx->tls_session_handle);
oc->openssl_ctx_index);
tls_session = session_get_from_handle (ctx->tls_session_handle);
+
+#ifdef HAVE_OPENSSL_ASYNC
+ vpp_tls_async_init_event (ctx, openssl_ctx_handshake_rx, tls_session);
+#endif
while (1)
{
rv = SSL_do_handshake (oc->ssl);
while (1)
{
rv = SSL_do_handshake (oc->ssl);
@@
-575,8
+571,8
@@
openssl_ctx_init_client (tls_ctx_t * ctx)
#ifdef HAVE_OPENSSL_ASYNC
if (err == SSL_ERROR_WANT_ASYNC)
{
#ifdef HAVE_OPENSSL_ASYNC
if (err == SSL_ERROR_WANT_ASYNC)
{
- handler = (openssl_resume_handler *) openssl_ctx_handshake_rx;
-
vpp_ssl_async_process_event (ctx, handler
);
+ openssl_check_async_status (ctx, openssl_ctx_handshake_rx,
+
tls_session
);
break;
}
#endif
break;
}
#endif
@@
-627,8
+623,10
@@
openssl_start_listen (tls_ctx_t * lctx)
SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
#ifdef HAVE_OPENSSL_ASYNC
if (om->async)
SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
#ifdef HAVE_OPENSSL_ASYNC
if (om->async)
- SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ASYNC);
- SSL_CTX_set_async_callback (ssl_ctx, tls_async_openssl_callback);
+ {
+ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ASYNC);
+ SSL_CTX_set_async_callback (ssl_ctx, tls_async_openssl_callback);
+ }
#endif
SSL_CTX_set_options (ssl_ctx, flags);
SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
#endif
SSL_CTX_set_options (ssl_ctx, flags);
SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
@@
-704,9
+702,6
@@
openssl_ctx_init_server (tls_ctx_t * ctx)
openssl_listen_ctx_t *olc;
session_t *tls_session;
int rv, err;
openssl_listen_ctx_t *olc;
session_t *tls_session;
int rv, err;
-#ifdef HAVE_OPENSSL_ASYNC
- openssl_resume_handler *handler;
-#endif
/* Start a new connection */
/* Start a new connection */
@@
-731,6
+726,9
@@
openssl_ctx_init_server (tls_ctx_t * ctx)
oc->openssl_ctx_index);
tls_session = session_get_from_handle (ctx->tls_session_handle);
oc->openssl_ctx_index);
tls_session = session_get_from_handle (ctx->tls_session_handle);
+#ifdef HAVE_OPENSSL_ASYNC
+ vpp_tls_async_init_event (ctx, openssl_ctx_handshake_rx, tls_session);
+#endif
while (1)
{
rv = SSL_do_handshake (oc->ssl);
while (1)
{
rv = SSL_do_handshake (oc->ssl);
@@
-739,8
+737,8
@@
openssl_ctx_init_server (tls_ctx_t * ctx)
#ifdef HAVE_OPENSSL_ASYNC
if (err == SSL_ERROR_WANT_ASYNC)
{
#ifdef HAVE_OPENSSL_ASYNC
if (err == SSL_ERROR_WANT_ASYNC)
{
- handler = (openssl_resume_handler *) openssl_ctx_handshake_rx;
-
vpp_ssl_async_process_event (ctx, handler
);
+ openssl_check_async_status (ctx, openssl_ctx_handshake_rx,
+
tls_session
);
break;
}
#endif
break;
}
#endif
@@
-765,6
+763,11
@@
openssl_handshake_is_over (tls_ctx_t * ctx)
static int
openssl_transport_close (tls_ctx_t * ctx)
{
static int
openssl_transport_close (tls_ctx_t * ctx)
{
+#ifdef HAVE_OPENSSL_ASYNC
+ if (vpp_openssl_is_inflight (ctx))
+ return 0;
+#endif
+
if (!openssl_handshake_is_over (ctx))
{
openssl_handle_handshake_failure (ctx);
if (!openssl_handshake_is_over (ctx))
{
openssl_handle_handshake_failure (ctx);
@@
-827,7
+830,12
@@
tls_init_ca_chain (void)
return -1;
}
return -1;
}
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ rv = X509_STORE_load_file (om->cert_store, tm->ca_cert_path);
+#else
rv = X509_STORE_load_locations (om->cert_store, tm->ca_cert_path, 0);
rv = X509_STORE_load_locations (om->cert_store, tm->ca_cert_path, 0);
+#endif
+
if (rv < 0)
{
clib_warning ("failed to load ca certificate");
if (rv < 0)
{
clib_warning ("failed to load ca certificate");
@@
-892,7
+900,7
@@
tls_openssl_init (vlib_main_t * vm)
vec_validate (om->ctx_pool, num_threads - 1);
vec_validate (om->ctx_pool, num_threads - 1);
- tls_register_engine (&openssl_engine,
TLS
_ENGINE_OPENSSL);
+ tls_register_engine (&openssl_engine,
CRYPTO
_ENGINE_OPENSSL);
om->engine_init = 0;
om->engine_init = 0;
@@
-919,7
+927,7
@@
tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
char *engine_alg = NULL;
char *ciphers = NULL;
u8 engine_name_set = 0;
char *engine_alg = NULL;
char *ciphers = NULL;
u8 engine_name_set = 0;
- int i;
+ int i
, async = 0
;
/* By present, it is not allowed to configure engine again after running */
if (om->engine_init)
/* By present, it is not allowed to configure engine again after running */
if (om->engine_init)
@@
-937,8
+945,7
@@
tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
}
else if (unformat (input, "async"))
{
}
else if (unformat (input, "async"))
{
- om->async = 1;
- openssl_async_node_enable_disable (1);
+ async = 1;
}
else if (unformat (input, "alg %s", &engine_alg))
{
}
else if (unformat (input, "alg %s", &engine_alg))
{
@@
-958,16
+965,23
@@
tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
if (!engine_name_set)
{
clib_warning ("No engine provided! \n");
if (!engine_name_set)
{
clib_warning ("No engine provided! \n");
-
om->
async = 0;
+ async = 0;
}
else
{
}
else
{
- if (openssl_engine_register (engine_name, engine_alg) < 0)
+ vnet_session_enable_disable (vm, 1);
+ if (openssl_engine_register (engine_name, engine_alg, async) < 0)
{
{
- return clib_error_return (0, "
f
ailed to register %s polling",
+ return clib_error_return (0, "
F
ailed to register %s polling",
engine_name);
}
engine_name);
}
+ else
+ {
+ vlib_cli_output (vm, "Successfully register engine %s\n",
+ engine_name);
+ }
}
}
+ om->async = async;
return 0;
}
return 0;
}