You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/03/16 02:03:02 UTC

[trafficserver] 02/03: Generate client address validation token

This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 89f9562844399648d28184662b60fe1072ca000f
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Fri Mar 16 10:57:44 2018 +0900

    Generate client address validation token
---
 iocore/net/QUICPacketHandler.cc | 31 +++-------------------
 iocore/net/quic/QUICGlobals.cc  | 57 +++++++++++++++++++++++++++++++++++++++--
 iocore/net/quic/QUICGlobals.h   | 15 +++++------
 3 files changed, 64 insertions(+), 39 deletions(-)

diff --git a/iocore/net/QUICPacketHandler.cc b/iocore/net/QUICPacketHandler.cc
index da98693..f5a3bbe 100644
--- a/iocore/net/QUICPacketHandler.cc
+++ b/iocore/net/QUICPacketHandler.cc
@@ -27,6 +27,7 @@
 #include "QUICPacket.h"
 #include "QUICDebugNames.h"
 #include "QUICEvents.h"
+#include "QUICGlobals.h"
 
 //
 // QUICPacketHandler
@@ -85,32 +86,6 @@ QUICPacketHandler::_read_connection_id(IOBufferBlock *block)
   return QUICPacket::connection_id(buf);
 }
 
-// TODO: ramdomize token and verify it
-// dummy token to simplify test
-static uint8_t token[] = {0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef,
-                          0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef,
-                          0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef,
-                          0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef};
-
-static int
-generate_cookie_callback(SSL * /* ssl */, unsigned char *cookie, size_t *cookie_len)
-{
-  memcpy(cookie, token, sizeof(token));
-  *cookie_len = sizeof(token);
-
-  return 1;
-}
-
-static int
-verify_cookie_callback(SSL *ssl, const unsigned char *cookie, size_t cookie_len)
-{
-  if (memcmp(token, cookie, sizeof(token)) == 0) {
-    return 1;
-  } else {
-    return 0;
-  }
-}
-
 //
 // QUICPacketHandlerIn
 //
@@ -123,8 +98,8 @@ QUICPacketHandlerIn::QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt,
 
   // callbacks for cookie ext
   // Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463
-  SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, generate_cookie_callback);
-  SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, verify_cookie_callback);
+  SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, QUIC::ssl_generate_stateless_cookie);
+  SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, QUIC::ssl_verify_stateless_cookie);
 }
 
 QUICPacketHandlerIn::~QUICPacketHandlerIn()
diff --git a/iocore/net/quic/QUICGlobals.cc b/iocore/net/quic/QUICGlobals.cc
index 7627a2e..c843e9b 100644
--- a/iocore/net/quic/QUICGlobals.cc
+++ b/iocore/net/quic/QUICGlobals.cc
@@ -21,17 +21,37 @@
  *  limitations under the License.
  */
 
-#include <cstring>
 #include "QUICGlobals.h"
+
+#include <cstring>
+
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+
+#include "P_SSLNextProtocolSet.h"
+#include "P_QUICNetVConnection.h"
 #include "QUICStats.h"
 #include "QUICConnection.h"
-#include "P_SSLNextProtocolSet.h"
 
 RecRawStatBlock *quic_rsb;
 
 int QUIC::ssl_quic_qc_index = -1;
 int QUIC::ssl_quic_hs_index = -1;
 
+static constexpr size_t STATELESS_COOKIE_SECRET_LENGTH                 = 16;
+static uint8_t stateless_cookie_secret[STATELESS_COOKIE_SECRET_LENGTH] = {0};
+
+void
+QUIC::init()
+{
+  QUIC::_register_stats();
+  ssl_quic_qc_index = SSL_get_ex_new_index(0, (void *)"QUICConnection index", nullptr, nullptr, nullptr);
+  ssl_quic_hs_index = SSL_get_ex_new_index(0, (void *)"QUICHandshake index", nullptr, nullptr, nullptr);
+
+  // TODO: read cookie secret from file like SSLTicketKeyConfig
+  RAND_bytes(stateless_cookie_secret, STATELESS_COOKIE_SECRET_LENGTH);
+}
+
 int
 QUIC::ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned inlen,
                                void *)
@@ -50,6 +70,39 @@ QUIC::ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned cha
   return SSL_TLSEXT_ERR_NOACK;
 }
 
+int
+QUIC::ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len)
+{
+  // Call UnixNetVConnection::get_remote_addr() safely
+  // TODO: add APIs to getting client addr in QUICConnection
+  QUICConnection *qc      = static_cast<QUICConnection *>(SSL_get_ex_data(ssl, QUIC::ssl_quic_qc_index));
+  QUICNetVConnection *qvc = dynamic_cast<QUICNetVConnection *>(qc);
+
+  uint8_t key[INET6_ADDRPORTSTRLEN] = {0};
+  size_t key_len                    = INET6_ADDRPORTSTRLEN;
+  ats_ip_nptop(qvc->get_remote_addr(), reinterpret_cast<char *>(key), key_len);
+
+  unsigned int dst_len = 0;
+  HMAC(EVP_sha1(), stateless_cookie_secret, STATELESS_COOKIE_SECRET_LENGTH, key, key_len, cookie, &dst_len);
+  *cookie_len = dst_len;
+
+  return 1;
+}
+
+int
+QUIC::ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len)
+{
+  uint8_t token[EVP_MAX_MD_SIZE];
+  size_t token_len;
+
+  if (QUIC::ssl_generate_stateless_cookie(ssl, token, &token_len) && cookie_len == token_len &&
+      memcmp(token, cookie, cookie_len) == 0) {
+    return 1;
+  } else {
+    return 0;
+  }
+}
+
 void
 QUIC::_register_stats()
 {
diff --git a/iocore/net/quic/QUICGlobals.h b/iocore/net/quic/QUICGlobals.h
index c4b5268..26f2e1b 100644
--- a/iocore/net/quic/QUICGlobals.h
+++ b/iocore/net/quic/QUICGlobals.h
@@ -28,19 +28,16 @@
 class QUIC
 {
 public:
-  static void
-  init()
-  {
-    QUIC::_register_stats();
-    ssl_quic_qc_index = SSL_get_ex_new_index(0, (void *)"QUICConnection index", nullptr, nullptr, nullptr);
-    ssl_quic_hs_index = SSL_get_ex_new_index(0, (void *)"QUICHandshake index", nullptr, nullptr, nullptr);
-  }
-  static int ssl_quic_qc_index;
-  static int ssl_quic_hs_index;
+  static void init();
 
   // SSL callbacks
   static int ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in,
                                       unsigned inlen, void *);
+  static int ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len);
+  static int ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len);
+
+  static int ssl_quic_qc_index;
+  static int ssl_quic_hs_index;
 
 private:
   static void _register_stats();

-- 
To stop receiving notification emails like this one, please contact
masaori@apache.org.