tls: allow engines to customize close

Change-Id: I11ac3e4f59206902e5dfc326f815c877c5dd6643 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-04-17 14:19:12 -07:00
parent d6c9e82fa3
commit 06a6a30f91
5 changed files with 74 additions and 20 deletions
--- a/src/plugins/tlsmbedtls/tls_mbedtls.c
+++ b/src/plugins/tlsmbedtls/tls_mbedtls.c
@ -100,6 +100,7 @@ mbedtls_ctx_free (tls_ctx_t * ctx)
  mbedtls_ssl_free (&mc->ssl);
  mbedtls_ssl_config_free (&mc->conf);

+  vec_free (ctx->srv_hostname);
  pool_put_index (mbedtls_main.ctx_pool[ctx->c_thread_index],
 		  mc->mbedtls_ctx_index);
 }
@ -536,6 +537,27 @@ mbedtls_handshake_is_over (tls_ctx_t * ctx)
  return (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
 }

+static int
+mbedtls_transport_close (tls_ctx_t * ctx)
+{
+  if (!mbedtls_handshake_is_over (ctx))
+    {
+      session_close (session_get_from_handle (ctx->tls_session_handle));
+      return 0;
+    }
+  session_transport_closing_notify (&ctx->connection);
+  return 0;
+}
+
+static int
+mbedtls_app_close (tls_ctx_t * ctx)
+{
+  tls_disconnect_transport (ctx);
+  session_transport_delete_notify (&ctx->connection);
+  mbedtls_ctx_free (ctx);
+  return 0;
+}
+
 const static tls_engine_vft_t mbedtls_engine = {
  .ctx_alloc = mbedtls_ctx_alloc,
  .ctx_free = mbedtls_ctx_free,
@ -548,6 +570,8 @@ const static tls_engine_vft_t mbedtls_engine = {
  .ctx_handshake_is_over = mbedtls_handshake_is_over,
  .ctx_start_listen = mbedtls_start_listen,
  .ctx_stop_listen = mbedtls_stop_listen,
+  .ctx_transport_close = mbedtls_transport_close,
+  .ctx_app_close = mbedtls_app_close,
 };

 int
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@ -58,6 +58,7 @@ openssl_ctx_free (tls_ctx_t * ctx)

  SSL_free (oc->ssl);

+  vec_free (ctx->srv_hostname);
  pool_put_index (openssl_main.ctx_pool[ctx->c_thread_index],
 		  oc->openssl_ctx_index);
 }
@ -725,6 +726,27 @@ openssl_handshake_is_over (tls_ctx_t * ctx)
  return SSL_is_init_finished (mc->ssl);
 }

+static int
+openssl_transport_close (tls_ctx_t * ctx)
+{
+  if (!openssl_handshake_is_over (ctx))
+    {
+      session_close (session_get_from_handle (ctx->tls_session_handle));
+      return 0;
+    }
+  session_transport_closing_notify (&ctx->connection);
+  return 0;
+}
+
+static int
+openssl_app_close (tls_ctx_t * ctx)
+{
+  tls_disconnect_transport (ctx);
+  session_transport_delete_notify (&ctx->connection);
+  openssl_ctx_free (ctx);
+  return 0;
+}
+
 const static tls_engine_vft_t openssl_engine = {
  .ctx_alloc = openssl_ctx_alloc,
  .ctx_free = openssl_ctx_free,
@ -737,6 +759,8 @@ const static tls_engine_vft_t openssl_engine = {
  .ctx_handshake_is_over = openssl_handshake_is_over,
  .ctx_start_listen = openssl_start_listen,
  .ctx_stop_listen = openssl_stop_listen,
+  .ctx_transport_close = openssl_transport_close,
+  .ctx_app_close = openssl_app_close,
 };

 int
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@ -26,7 +26,7 @@ static tls_engine_vft_t *tls_vfts;

 void tls_disconnect (u32 ctx_handle, u32 thread_index);

-static void
+void
 tls_disconnect_transport (tls_ctx_t * ctx)
 {
  vnet_disconnect_args_t a = {
@ -287,13 +287,6 @@ tls_ctx_alloc (tls_engine_type_t engine_type)
  return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index);
 }

-static inline void
-tls_ctx_free (tls_ctx_t * ctx)
-{
-  vec_free (ctx->srv_hostname);
-  tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx);
-}
-
 static inline tls_ctx_t *
 tls_ctx_get (u32 ctx_handle)
 {
@ -334,7 +327,26 @@ tls_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
  return tls_vfts[ctx->tls_ctx_engine].ctx_read (ctx, tls_session);
 }

-static inline u8
+static inline int
+tls_ctx_transport_close (tls_ctx_t * ctx)
+{
+  return tls_vfts[ctx->tls_ctx_engine].ctx_transport_close (ctx);
+}
+
+static inline int
+tls_ctx_app_close (tls_ctx_t * ctx)
+{
+  return tls_vfts[ctx->tls_ctx_engine].ctx_app_close (ctx);
+}
+
+void
+tls_ctx_free (tls_ctx_t * ctx)
+{
+  vec_free (ctx->srv_hostname);
+  tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx);
+}
+
+u8
 tls_ctx_handshake_is_over (tls_ctx_t * ctx)
 {
  return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx);
@ -368,13 +380,8 @@ tls_session_disconnect_callback (session_t * tls_session)
 	   tls_session->session_index);

  ctx = tls_ctx_get (tls_session->opaque);
-  if (!tls_ctx_handshake_is_over (ctx))
-    {
-      session_close (tls_session);
-      return;
-    }
  ctx->is_passive_close = 1;
-  session_transport_closing_notify (&ctx->connection);
+  tls_ctx_transport_close (ctx);
 }

 int
@ -542,9 +549,7 @@ tls_disconnect (u32 ctx_handle, u32 thread_index)
  TLS_DBG (1, "Disconnecting %x", ctx_handle);

  ctx = tls_ctx_get (ctx_handle);
-  tls_disconnect_transport (ctx);
-  session_transport_delete_notify (&ctx->connection);
-  tls_ctx_free (ctx);
+  tls_ctx_app_close (ctx);
 }

 u32
--- a/src/vnet/tls/tls.h
+++ b/src/vnet/tls/tls.h
@ -109,6 +109,8 @@ typedef struct tls_engine_vft_
    u8 (*ctx_handshake_is_over) (tls_ctx_t * ctx);
  int (*ctx_start_listen) (tls_ctx_t * ctx);
  int (*ctx_stop_listen) (tls_ctx_t * ctx);
+  int (*ctx_transport_close) (tls_ctx_t * ctx);
+  int (*ctx_app_close) (tls_ctx_t * ctx);
 } tls_engine_vft_t;

 tls_main_t *vnet_tls_get_main (void);
@ -121,6 +123,7 @@ int tls_add_vpp_q_builtin_rx_evt (session_t * s);
 int tls_notify_app_accept (tls_ctx_t * ctx);
 int tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed);
 void tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session);
+void tls_disconnect_transport (tls_ctx_t * ctx);
 #endif /* SRC_VNET_TLS_TLS_H_ */

 /*
--- a/test/test_vcl.py
+++ b/test/test_vcl.py
@ -127,8 +127,6 @@ class VCLTestCase(VppTestCase):
            i.set_table_ip4(0)
            i.admin_down()

-        self.vapi.session_enable_disable(is_enabled=0)
-
    def thru_host_stack_ipv6_setup(self):
        self.vapi.session_enable_disable(is_enabled=1)
        self.create_loopback_interfaces(2)