tls: avoid app session preallocation

[vpp.git] / src / plugins / tlsopenssl / tls_openssl.c

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 8767433..a21e3bb 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -263,22 +263,18 @@ openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler,
 static void
 openssl_handle_handshake_failure (tls_ctx_t * ctx)
 {
-  session_t *app_session;
+  /* Failed to renegotiate handshake */
+  if (ctx->flags & TLS_CONN_F_HS_DONE)
+    {
+      tls_notify_app_io_error (ctx);
+      tls_disconnect_transport (ctx);
+      return;
+    }
 
   if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
     {
-      /*
-       * Cleanup pre-allocated app session and close transport
-       */
-      app_session =
-       session_get_if_valid (ctx->c_s_index, ctx->c_thread_index);
-      if (app_session)
-       {
-         session_free (app_session);
-         ctx->c_s_index = SESSION_INVALID_INDEX;
-         tls_disconnect_transport (ctx);
-       }
       ctx->flags |= TLS_CONN_F_NO_APP_SESSION;
+      tls_disconnect_transport (ctx);
     }
   else
     {
@@ -334,6 +330,10 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
   if (SSL_in_init (oc->ssl))
     return -1;
 
+  /* Renegotiated handshake, app must not be notified */
+  if (PREDICT_FALSE (ctx->flags & TLS_CONN_F_HS_DONE))
+    return 0;
+
   /*
    * Handshake complete
    */
@@ -379,7 +379,7 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
          return -1;
        }
     }
-
+  ctx->flags |= TLS_CONN_F_HS_DONE;
   TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s",
           oc->openssl_ctx_index, SSL_get_cipher (oc->ssl));
   return rv;