From: Varun Rapelly <vrapelly@marvell.com>
Date: Sat, 21 Jun 2025 04:15:11 +0000 (+0000)
Subject: tls: add async support for SSL client
X-Git-Tag: v26.02-rc0~222
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F34%2F43234%2F2;p=vpp.git

tls: add async support for SSL client

This patch enables async processing support for SSL clients.

Type: improvement

Change-Id: I8d9462b439ff6e0962ee30cb8b596a2744a1aa33
Signed-off-by: Varun Rapelly <vrapelly@marvell.com>
---

diff --git a/src/plugins/tlsopenssl/tls_async.c b/src/plugins/tlsopenssl/tls_async.c
index dfdababa5fe..1ded98dcd9f 100644
--- a/src/plugins/tlsopenssl/tls_async.c
+++ b/src/plugins/tlsopenssl/tls_async.c
@@ -775,21 +775,43 @@ tls_async_handshake_event_handler (void *async_evt, void *unused)
       return 0;
     }
 
-  /* client not supported */
-  if (!SSL_is_server (oc->ssl))
-    return 0;
-
-  /* Need to check transport status */
-  if (ctx->flags & TLS_CONN_F_PASSIVE_CLOSE)
+  if (SSL_is_server (oc->ssl))
     {
-      openssl_handle_handshake_failure (ctx);
-      return 0;
-    }
+      /* Need to check transport status */
+      if (ctx->flags & TLS_CONN_F_PASSIVE_CLOSE)
+	{
+	  openssl_handle_handshake_failure (ctx);
+	  return 0;
+	}
 
-  if (tls_notify_app_accept (ctx))
+      if (tls_notify_app_accept (ctx))
+	{
+	  ctx->c_s_index = SESSION_INVALID_INDEX;
+	  tls_disconnect_transport (ctx);
+	}
+    }
+  else
     {
-      ctx->c_s_index = SESSION_INVALID_INDEX;
-      tls_disconnect_transport (ctx);
+      /* Verify server certificate */
+      if ((rv = SSL_get_verify_result (oc->ssl)) != X509_V_OK)
+	{
+	  TLS_DBG (1, " failed verify: %s\n",
+		   X509_verify_cert_error_string (rv));
+	  /*
+	   * Presence of hostname enforces strict certificate verification
+	   */
+	  if (ctx->srv_hostname)
+	    {
+	      TLS_DBG (1, "Server host name verification failed");
+	      openssl_handle_handshake_failure (ctx);
+	      return -1;
+	    }
+	}
+      if (tls_notify_app_connected (ctx, SESSION_E_NONE))
+	{
+	  tls_disconnect_transport (ctx);
+	  return -1;
+	}
     }
 
   TLS_DBG (1,
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index bcb3c965fbd..a5b6b062c8f 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -789,7 +789,11 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
   SSL_CTX_set_ecdh_auto (oc->client_ssl_ctx, 1);
   SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
   if (om->async)
-    SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ASYNC);
+    {
+      SSL_CTX_set_mode (oc->client_ssl_ctx, SSL_MODE_ASYNC);
+      SSL_CTX_set_async_callback (oc->client_ssl_ctx,
+				  tls_async_openssl_callback);
+    }
 
   rv =
     SSL_CTX_set_cipher_list (oc->client_ssl_ctx, (const char *) om->ciphers);