Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: dc4d21e)
tls: handle attepts to renegotiate hs 38/40538/3
authorFlorin Coras <fcoras@cisco.com>
Thu, 14 Mar 2024 05:03:33 +0000 (22:03 -0700)
committerDave Barach <vpp@barachs.net>
Mon, 18 Mar 2024 19:20:38 +0000 (19:20 +0000)
Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I549d0c8715e5c06bfc22be26ca1dc78ec3c29a61

src/plugins/tlsopenssl/tls_openssl.c patch | blob | history
src/plugins/tlspicotls/tls_picotls.c patch | blob | history
src/vnet/tls/tls.h patch | blob | history

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 8767433..75e58f6 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -265,6 +265,14 @@ openssl_handle_handshake_failure (tls_ctx_t * ctx)
 {
   session_t *app_session;
 
+  /* Failed to renegotiate handshake */
+  if (ctx->flags & TLS_CONN_F_HS_DONE)
+    {
+      tls_notify_app_io_error (ctx);
+      tls_disconnect_transport (ctx);
+      return;
+    }
+
   if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
     {
       /*
@@ -334,6 +342,10 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
   if (SSL_in_init (oc->ssl))
     return -1;
 
+  /* Renegotiated handshake, app must not be notified */
+  if (PREDICT_FALSE (ctx->flags & TLS_CONN_F_HS_DONE))
+    return 0;
+
   /*
    * Handshake complete
    */
@@ -379,7 +391,7 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
          return -1;
        }
     }
-
+  ctx->flags |= TLS_CONN_F_HS_DONE;
   TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s",
           oc->openssl_ctx_index, SSL_get_cipher (oc->ssl));
   return rv;
diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c
index 88b99a4..81c4b2e 100644 (file)
--- a/src/plugins/tlspicotls/tls_picotls.c
+++ b/src/plugins/tlspicotls/tls_picotls.c
@@ -453,6 +453,7 @@ picotls_ctx_read (tls_ctx_t *ctx, session_t *tcp_session)
            }
        }
 
+      ctx->flags |= TLS_CONN_F_HS_DONE;
       if (!svm_fifo_max_dequeue (tcp_session->rx_fifo))
        return 0;
     }
diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h
index 528cdad..6bd1371 100644 (file)
--- a/src/vnet/tls/tls.h
+++ b/src/vnet/tls/tls.h
@@ -61,7 +61,8 @@ STATIC_ASSERT (sizeof (tls_ctx_id_t) <= TRANSPORT_CONN_ID_LEN,
   _ (APP_CLOSED, "app-closed")                                                \
   _ (MIGRATED, "migrated")                                                    \
   _ (NO_APP_SESSION, "no-app-session")                                        \
-  _ (RESUME, "resume")
+  _ (RESUME, "resume")                                                        \
+  _ (HS_DONE, "handshake-done")
 
 typedef enum tls_conn_flags_bit_
 {
Vector Packet Processing