tls: cleanup engine hs cb and improve ctx formatting

Handshake completion is now tracked via a ctx flag so we no longer need ctx_handshake_is_over. Also, as we no longer prealloc application sessions, improve ctx state formatting. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If48588ecde13e56fb99d1a46238bda53ed4eae1b
2023-10-17 11:59:49 -07:00
parent 2193fd0649
commit d0e8bd75f6
6 changed files with 25 additions and 55 deletions
--- a/src/plugins/tlsmbedtls/tls_mbedtls.c
+++ b/src/plugins/tlsmbedtls/tls_mbedtls.c
@ -396,6 +396,8 @@ mbedtls_ctx_handshake_rx (tls_ctx_t * ctx)
  if (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
    return 0;

+  ctx->flags |= TLS_CONN_F_HS_DONE;
+
  /*
   * Handshake complete
   */
@ -532,17 +534,10 @@ mbedtls_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
  return enq;
 }

-static u8
-mbedtls_handshake_is_over (tls_ctx_t * ctx)
-{
-  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
-  return (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
-}
-
 static int
 mbedtls_transport_close (tls_ctx_t * ctx)
 {
-  if (!mbedtls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
    {
      session_close (session_get_from_handle (ctx->tls_session_handle));
      return 0;
@ -554,7 +549,7 @@ mbedtls_transport_close (tls_ctx_t * ctx)
 static int
 mbedtls_transport_reset (tls_ctx_t *ctx)
 {
-  if (!mbedtls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
    {
      session_close (session_get_from_handle (ctx->tls_session_handle));
      return 0;
@ -590,7 +585,6 @@ const static tls_engine_vft_t mbedtls_engine = {
  .ctx_init_client = mbedtls_ctx_init_client,
  .ctx_write = mbedtls_ctx_write,
  .ctx_read = mbedtls_ctx_read,
-  .ctx_handshake_is_over = mbedtls_handshake_is_over,
  .ctx_start_listen = mbedtls_start_listen,
  .ctx_stop_listen = mbedtls_stop_listen,
  .ctx_transport_close = mbedtls_transport_close,
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@ -1037,15 +1037,6 @@ openssl_ctx_init_server (tls_ctx_t * ctx)
  return 0;
 }

-static u8
-openssl_handshake_is_over (tls_ctx_t * ctx)
-{
-  openssl_ctx_t *mc = (openssl_ctx_t *) ctx;
-  if (!mc->ssl)
-    return 0;
-  return SSL_is_init_finished (mc->ssl);
-}
-
 static int
 openssl_transport_close (tls_ctx_t * ctx)
 {
@ -1054,7 +1045,7 @@ openssl_transport_close (tls_ctx_t * ctx)
    return 0;
 #endif

-  if (!openssl_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
    {
      openssl_handle_handshake_failure (ctx);
      return 0;
@ -1066,7 +1057,7 @@ openssl_transport_close (tls_ctx_t * ctx)
 static int
 openssl_transport_reset (tls_ctx_t *ctx)
 {
-  if (!openssl_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
    {
      openssl_handle_handshake_failure (ctx);
      return 0;
@ -1166,7 +1157,6 @@ const static tls_engine_vft_t openssl_engine = {
  .ctx_init_client = openssl_ctx_init_client,
  .ctx_write = openssl_ctx_write,
  .ctx_read = openssl_ctx_read,
-  .ctx_handshake_is_over = openssl_handshake_is_over,
  .ctx_start_listen = openssl_start_listen,
  .ctx_stop_listen = openssl_stop_listen,
  .ctx_transport_close = openssl_transport_close,
--- a/src/plugins/tlspicotls/tls_picotls.c
+++ b/src/plugins/tlspicotls/tls_picotls.c
@ -88,14 +88,6 @@ picotls_lctx_get (u32 lctx_index)
  return pool_elt_at_index (picotls_main.lctx_pool, lctx_index);
 }

-static u8
-picotls_handshake_is_over (tls_ctx_t * ctx)
-{
-  picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
-  assert (ptls_ctx->tls);
-  return ptls_handshake_is_complete (ptls_ctx->tls);
-}
-
 static int
 picotls_try_handshake_write (picotls_ctx_t * ptls_ctx,
 			     session_t * tls_session, ptls_buffer_t * buf)
@ -194,7 +186,7 @@ picotls_confirm_app_close (tls_ctx_t * ctx)
 static int
 picotls_transport_close (tls_ctx_t * ctx)
 {
-  if (!picotls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
    {
      picotls_handle_handshake_failure (ctx);
      return 0;
@ -206,7 +198,7 @@ picotls_transport_close (tls_ctx_t * ctx)
 static int
 picotls_transport_reset (tls_ctx_t *ctx)
 {
-  if (!picotls_handshake_is_over (ctx))
+  if (!(ctx->flags & TLS_CONN_F_HS_DONE))
    {
      picotls_handle_handshake_failure (ctx);
      return 0;
@ -435,7 +427,7 @@ picotls_ctx_read (tls_ctx_t *ctx, session_t *tcp_session)
  if (PREDICT_FALSE (!ptls_handshake_is_complete (ptls_ctx->tls)))
    {
      picotls_do_handshake (ptls_ctx, tcp_session);
-      if (picotls_handshake_is_over (ctx))
+      if (ctx->flags & TLS_CONN_F_HS_DONE)
 	{
 	  if (ptls_is_server (ptls_ctx->tls))
 	    {
@ -750,7 +742,6 @@ const static tls_engine_vft_t picotls_engine = {
  .ctx_free = picotls_ctx_free,
  .ctx_get = picotls_ctx_get,
  .ctx_get_w_thread = picotls_ctx_get_w_thread,
-  .ctx_handshake_is_over = picotls_handshake_is_over,
  .ctx_start_listen = picotls_start_listen,
  .ctx_stop_listen = picotls_stop_listen,
  .ctx_init_server = picotls_ctx_init_server,
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@ -310,7 +310,7 @@ send_reply:
 void
 tls_notify_app_io_error (tls_ctx_t *ctx)
 {
-  ASSERT (tls_ctx_handshake_is_over (ctx));
+  ASSERT (ctx->flags & TLS_CONN_F_HS_DONE);

  session_transport_reset_notify (&ctx->connection);
  session_transport_closed_notify (&ctx->connection);
@ -926,24 +926,26 @@ static u8 *
 format_tls_ctx_state (u8 * s, va_list * args)
 {
  tls_ctx_t *ctx;
-  session_t *ts;
+  session_t *as;

  ctx = va_arg (*args, tls_ctx_t *);
-  ts = session_get (ctx->c_s_index, ctx->c_thread_index);
-  if (ts->session_state == SESSION_STATE_LISTENING)
+  as = session_get (ctx->c_s_index, ctx->c_thread_index);
+  if (as->session_state == SESSION_STATE_LISTENING)
    s = format (s, "%s", "LISTEN");
  else
    {
-      if (ts->session_state >= SESSION_STATE_TRANSPORT_CLOSED)
-	s = format (s, "%s", "CLOSED");
-      else if (ts->session_state == SESSION_STATE_APP_CLOSED)
-	s = format (s, "%s", "APP-CLOSED");
-      else if (ts->session_state >= SESSION_STATE_TRANSPORT_CLOSING)
-	s = format (s, "%s", "CLOSING");
-      else if (tls_ctx_handshake_is_over (ctx))
+      if (as->session_state == SESSION_STATE_READY)
 	s = format (s, "%s", "ESTABLISHED");
+      else if (as->session_state == SESSION_STATE_ACCEPTING)
+	s = format (s, "%s", "ACCEPTING");
+      else if (as->session_state == SESSION_STATE_CONNECTING)
+	s = format (s, "%s", "CONNECTING");
+      else if (as->session_state >= SESSION_STATE_TRANSPORT_CLOSED)
+	s = format (s, "%s", "CLOSED");
+      else if (as->session_state >= SESSION_STATE_TRANSPORT_CLOSING)
+	s = format (s, "%s", "CLOSING");
      else
-	s = format (s, "%s", "HANDSHAKE");
+	s = format (s, "UNHANDLED %u", as->session_state);
    }

  return s;
--- a/src/vnet/tls/tls.h
+++ b/src/vnet/tls/tls.h
@ -142,9 +142,8 @@ typedef struct tls_engine_vft_
  int (*ctx_init_client) (tls_ctx_t * ctx);
  int (*ctx_init_server) (tls_ctx_t * ctx);
  int (*ctx_read) (tls_ctx_t * ctx, session_t * tls_session);
-  int (*ctx_write) (tls_ctx_t * ctx, session_t * app_session,
-		    transport_send_params_t * sp);
-    u8 (*ctx_handshake_is_over) (tls_ctx_t * ctx);
+  int (*ctx_write) (tls_ctx_t *ctx, session_t *app_session,
+		    transport_send_params_t *sp);
  int (*ctx_start_listen) (tls_ctx_t * ctx);
  int (*ctx_stop_listen) (tls_ctx_t * ctx);
  int (*ctx_transport_close) (tls_ctx_t * ctx);
--- a/src/vnet/tls/tls_inlines.h
+++ b/src/vnet/tls/tls_inlines.h
@ -114,12 +114,6 @@ tls_ctx_app_close (tls_ctx_t *ctx)
  return tls_vfts[ctx->tls_ctx_engine].ctx_app_close (ctx);
 }

-static inline u8
-tls_ctx_handshake_is_over (tls_ctx_t *ctx)
-{
-  return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx);
-}
-
 static inline int
 tls_reinit_ca_chain (crypto_engine_type_t tls_engine_id)
 {