tls: handle disconect and reset in async mode

Type: fix

When async is enabled and request is inflight, delay close oepration

Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943
Signed-off-by: Yu Ping <ping.yu@intel.com>

diff --git a/src/plugins/tlsopenssl/tls_async.c b/src/plugins/tlsopenssl/tls_async.c
index 100a75b..8660466 100644 (file)
--- a/src/plugins/tlsopenssl/tls_async.c
+++ b/src/plugins/tlsopenssl/tls_async.c
@@ -303,6 +303,18 @@ vpp_tls_async_init_event (tls_ctx_t * ctx,
   return 1;
 }
 
+int
+vpp_openssl_is_inflight (tls_ctx_t * ctx)
+{
+  u32 eidx;
+  openssl_evt_t *event;
+  eidx = ctx->evt_index;
+  event = openssl_evt_get (eidx);
+
+  if (event->status == SSL_ASYNC_INFLIGHT)
+    return 1;
+  return 0;
+}
 
 int
 vpp_tls_async_update_event (tls_ctx_t * ctx, int eagain)
@@ -310,13 +322,11 @@ vpp_tls_async_update_event (tls_ctx_t * ctx, int eagain)
   u32 eidx;
   openssl_evt_t *event;
 
+  eidx = ctx->evt_index;
+  event = openssl_evt_get (eidx);
+  event->status = SSL_ASYNC_INFLIGHT;
   if (eagain)
-    {
-      eidx = ctx->evt_index;
-      event = openssl_evt_get (eidx);
-
-      return tls_async_openssl_callback (0, &event->cb_args);
-    }
+    return tls_async_openssl_callback (0, &event->cb_args);
 
   return 1;
 }

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 8e5e73a..288f0e1 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -204,15 +204,22 @@ openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler,
 static void
 openssl_handle_handshake_failure (tls_ctx_t * ctx)
 {
+  session_t *app_session;
+
   if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
     {
       /*
        * Cleanup pre-allocated app session and close transport
        */
-      session_free (session_get (ctx->c_s_index, ctx->c_thread_index));
-      ctx->no_app_session = 1;
-      ctx->c_s_index = SESSION_INVALID_INDEX;
-      tls_disconnect_transport (ctx);
+      app_session =
+       session_get_if_valid (ctx->c_s_index, ctx->c_thread_index);
+      if (app_session)
+       {
+         session_free (app_session);
+         ctx->no_app_session = 1;
+         ctx->c_s_index = SESSION_INVALID_INDEX;
+         tls_disconnect_transport (ctx);
+       }
     }
   else
     {
@@ -295,7 +302,11 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
     }
   else
     {
-      tls_notify_app_accept (ctx);
+      /* Need to check transport status */
+      if (ctx->is_passive_close)
+       openssl_handle_handshake_failure (ctx);
+      else
+       tls_notify_app_accept (ctx);
     }
 
   TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s",
@@ -752,6 +763,11 @@ openssl_handshake_is_over (tls_ctx_t * ctx)
 static int
 openssl_transport_close (tls_ctx_t * ctx)
 {
+#ifdef HAVE_OPENSSL_ASYNC
+  if (vpp_openssl_is_inflight (ctx))
+    return 0;
+#endif
+
   if (!openssl_handshake_is_over (ctx))
     {
       openssl_handle_handshake_failure (ctx);

diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h
index f61d986..5744dca 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.h
+++ b/src/plugins/tlsopenssl/tls_openssl.h
@@ -68,6 +68,7 @@ int openssl_engine_register (char *engine, char *alg, int async);
 void openssl_async_node_enable_disable (u8 is_en);
 clib_error_t *tls_openssl_api_init (vlib_main_t * vm);
 int tls_openssl_set_ciphers (char *ciphers);
+int vpp_openssl_is_inflight (tls_ctx_t * ctx);
 
 /*
  * fd.io coding-style-patch-verification: ON

diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index c2616fd..257f48c 100644 (file)
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -358,15 +358,22 @@ tls_session_reset_callback (session_t * s)
   session_t *app_session;
 
   ctx = tls_ctx_get (s->opaque);
+  ctx->is_passive_close = 1;
   tc = &ctx->connection;
   if (tls_ctx_handshake_is_over (ctx))
     {
       session_transport_reset_notify (tc);
       session_transport_closed_notify (tc);
+      tls_disconnect_transport (ctx);
+    }
+  else
+    if ((app_session =
+        session_get_if_valid (ctx->c_s_index, ctx->c_thread_index)))
+    {
+      session_free (app_session);
+      ctx->c_s_index = SESSION_INVALID_INDEX;
+      tls_disconnect_transport (ctx);
     }
-  else if ((app_session = session_get (tc->s_index, tc->thread_index)))
-    session_free (app_session);
-  tls_disconnect_transport (ctx);
 }
 
 int