From c42fdfb097cd7b49cf5cfe81884e8c5959589847 Mon Sep 17 00:00:00 2001
From: Matus Fabian <matfabia@cisco.com>
Date: Wed, 21 May 2025 14:47:08 +0000
Subject: [PATCH] tls: add half close support

http/2 use vnet_shutdown_session on connection error after it sends
GOAWAY frame, which need half_close in underlaying transport proto vft
be implemented.

Type: improvement

Change-Id: I93c2e2ccb9bffc31a8111206acd37703c1c28052
Signed-off-by: Matus Fabian <matfabia@cisco.com>
---
 src/plugins/tlsopenssl/tls_openssl.c |  5 ++++-
 src/vnet/tls/tls.c                   | 26 ++++++++++++++++++++++++++
 src/vnet/tls/tls.h                   |  4 +++-
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 825aa91ee99..bcb3c965fbd 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -422,7 +422,10 @@ openssl_confirm_app_close (tls_ctx_t *ctx)
 {
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   SSL_shutdown (oc->ssl);
-  tls_disconnect_transport (ctx);
+  if (ctx->flags & TLS_CONN_F_SHUTDOWN_TRANSPORT)
+    tls_shutdown_transport (ctx);
+  else
+    tls_disconnect_transport (ctx);
   session_transport_closed_notify (&ctx->connection);
 }
 
diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index 1b07352db26..b3c39f15708 100644
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -41,6 +41,18 @@ tls_disconnect_transport (tls_ctx_t * ctx)
     clib_warning ("disconnect returned");
 }
 
+void
+tls_shutdown_transport (tls_ctx_t *ctx)
+{
+  vnet_shutdown_args_t a = {
+    .handle = ctx->tls_session_handle,
+    .app_index = ctx->ts_app_index,
+  };
+
+  if (vnet_shutdown_session (&a))
+    clib_warning ("shutdown returned");
+}
+
 crypto_engine_type_t
 tls_get_available_engine (void)
 {
@@ -738,6 +750,19 @@ tls_connect (transport_endpoint_cfg_t * tep)
   return ctx_index;
 }
 
+void
+tls_shutdown (u32 ctx_handle, clib_thread_index_t thread_index)
+{
+  tls_ctx_t *ctx;
+
+  TLS_DBG (1, "Disconnecting %x", ctx_handle);
+
+  ctx = tls_ctx_get (ctx_handle);
+  ctx->flags |= TLS_CONN_F_APP_CLOSED;
+  ctx->flags |= TLS_CONN_F_SHUTDOWN_TRANSPORT;
+  tls_ctx_app_close (ctx);
+}
+
 void
 tls_disconnect (u32 ctx_handle, clib_thread_index_t thread_index)
 {
@@ -1150,6 +1175,7 @@ tls_enable (vlib_main_t * vm, u8 is_en)
 static const transport_proto_vft_t tls_proto = {
   .enable = tls_enable,
   .connect = tls_connect,
+  .half_close = tls_shutdown,
   .close = tls_disconnect,
   .start_listen = tls_start_listen,
   .stop_listen = tls_stop_listen,
diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h
index 3c38aaf8c79..04b5d759495 100644
--- a/src/vnet/tls/tls.h
+++ b/src/vnet/tls/tls.h
@@ -81,7 +81,8 @@ STATIC_ASSERT (sizeof (tls_ctx_id_t) <= TRANSPORT_CONN_ID_LEN,
   _ (NO_APP_SESSION, "no-app-session")                                        \
   _ (RESUME, "resume")                                                        \
   _ (HS_DONE, "handshake-done")                                               \
-  _ (ASYNC_RD, "async-read")
+  _ (ASYNC_RD, "async-read")                                                  \
+  _ (SHUTDOWN_TRANSPORT, "shutdown-transport")
 
 typedef enum tls_conn_flags_bit_
 {
@@ -183,6 +184,7 @@ int tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err);
 void tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session);
 void tls_notify_app_io_error (tls_ctx_t *ctx);
 void tls_disconnect_transport (tls_ctx_t * ctx);
+void tls_shutdown_transport (tls_ctx_t *ctx);
 
 void tls_add_postponed_ho_cleanups (u32 ho_index);
 void tls_flush_postponed_ho_cleanups ();
-- 
2.16.6