You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/03/16 02:03:02 UTC
[trafficserver] 02/03: Generate client address validation token
This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 89f9562844399648d28184662b60fe1072ca000f
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Fri Mar 16 10:57:44 2018 +0900
Generate client address validation token
---
iocore/net/QUICPacketHandler.cc | 31 +++-------------------
iocore/net/quic/QUICGlobals.cc | 57 +++++++++++++++++++++++++++++++++++++++--
iocore/net/quic/QUICGlobals.h | 15 +++++------
3 files changed, 64 insertions(+), 39 deletions(-)
diff --git a/iocore/net/QUICPacketHandler.cc b/iocore/net/QUICPacketHandler.cc
index da98693..f5a3bbe 100644
--- a/iocore/net/QUICPacketHandler.cc
+++ b/iocore/net/QUICPacketHandler.cc
@@ -27,6 +27,7 @@
#include "QUICPacket.h"
#include "QUICDebugNames.h"
#include "QUICEvents.h"
+#include "QUICGlobals.h"
//
// QUICPacketHandler
@@ -85,32 +86,6 @@ QUICPacketHandler::_read_connection_id(IOBufferBlock *block)
return QUICPacket::connection_id(buf);
}
-// TODO: ramdomize token and verify it
-// dummy token to simplify test
-static uint8_t token[] = {0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef,
- 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef,
- 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef,
- 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef};
-
-static int
-generate_cookie_callback(SSL * /* ssl */, unsigned char *cookie, size_t *cookie_len)
-{
- memcpy(cookie, token, sizeof(token));
- *cookie_len = sizeof(token);
-
- return 1;
-}
-
-static int
-verify_cookie_callback(SSL *ssl, const unsigned char *cookie, size_t cookie_len)
-{
- if (memcmp(token, cookie, sizeof(token)) == 0) {
- return 1;
- } else {
- return 0;
- }
-}
-
//
// QUICPacketHandlerIn
//
@@ -123,8 +98,8 @@ QUICPacketHandlerIn::QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt,
// callbacks for cookie ext
// Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463
- SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, generate_cookie_callback);
- SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, verify_cookie_callback);
+ SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, QUIC::ssl_generate_stateless_cookie);
+ SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, QUIC::ssl_verify_stateless_cookie);
}
QUICPacketHandlerIn::~QUICPacketHandlerIn()
diff --git a/iocore/net/quic/QUICGlobals.cc b/iocore/net/quic/QUICGlobals.cc
index 7627a2e..c843e9b 100644
--- a/iocore/net/quic/QUICGlobals.cc
+++ b/iocore/net/quic/QUICGlobals.cc
@@ -21,17 +21,37 @@
* limitations under the License.
*/
-#include <cstring>
#include "QUICGlobals.h"
+
+#include <cstring>
+
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+
+#include "P_SSLNextProtocolSet.h"
+#include "P_QUICNetVConnection.h"
#include "QUICStats.h"
#include "QUICConnection.h"
-#include "P_SSLNextProtocolSet.h"
RecRawStatBlock *quic_rsb;
int QUIC::ssl_quic_qc_index = -1;
int QUIC::ssl_quic_hs_index = -1;
+static constexpr size_t STATELESS_COOKIE_SECRET_LENGTH = 16;
+static uint8_t stateless_cookie_secret[STATELESS_COOKIE_SECRET_LENGTH] = {0};
+
+void
+QUIC::init()
+{
+ QUIC::_register_stats();
+ ssl_quic_qc_index = SSL_get_ex_new_index(0, (void *)"QUICConnection index", nullptr, nullptr, nullptr);
+ ssl_quic_hs_index = SSL_get_ex_new_index(0, (void *)"QUICHandshake index", nullptr, nullptr, nullptr);
+
+ // TODO: read cookie secret from file like SSLTicketKeyConfig
+ RAND_bytes(stateless_cookie_secret, STATELESS_COOKIE_SECRET_LENGTH);
+}
+
int
QUIC::ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned inlen,
void *)
@@ -50,6 +70,39 @@ QUIC::ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned cha
return SSL_TLSEXT_ERR_NOACK;
}
+int
+QUIC::ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len)
+{
+ // Call UnixNetVConnection::get_remote_addr() safely
+ // TODO: add APIs to getting client addr in QUICConnection
+ QUICConnection *qc = static_cast<QUICConnection *>(SSL_get_ex_data(ssl, QUIC::ssl_quic_qc_index));
+ QUICNetVConnection *qvc = dynamic_cast<QUICNetVConnection *>(qc);
+
+ uint8_t key[INET6_ADDRPORTSTRLEN] = {0};
+ size_t key_len = INET6_ADDRPORTSTRLEN;
+ ats_ip_nptop(qvc->get_remote_addr(), reinterpret_cast<char *>(key), key_len);
+
+ unsigned int dst_len = 0;
+ HMAC(EVP_sha1(), stateless_cookie_secret, STATELESS_COOKIE_SECRET_LENGTH, key, key_len, cookie, &dst_len);
+ *cookie_len = dst_len;
+
+ return 1;
+}
+
+int
+QUIC::ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len)
+{
+ uint8_t token[EVP_MAX_MD_SIZE];
+ size_t token_len;
+
+ if (QUIC::ssl_generate_stateless_cookie(ssl, token, &token_len) && cookie_len == token_len &&
+ memcmp(token, cookie, cookie_len) == 0) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
void
QUIC::_register_stats()
{
diff --git a/iocore/net/quic/QUICGlobals.h b/iocore/net/quic/QUICGlobals.h
index c4b5268..26f2e1b 100644
--- a/iocore/net/quic/QUICGlobals.h
+++ b/iocore/net/quic/QUICGlobals.h
@@ -28,19 +28,16 @@
class QUIC
{
public:
- static void
- init()
- {
- QUIC::_register_stats();
- ssl_quic_qc_index = SSL_get_ex_new_index(0, (void *)"QUICConnection index", nullptr, nullptr, nullptr);
- ssl_quic_hs_index = SSL_get_ex_new_index(0, (void *)"QUICHandshake index", nullptr, nullptr, nullptr);
- }
- static int ssl_quic_qc_index;
- static int ssl_quic_hs_index;
+ static void init();
// SSL callbacks
static int ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in,
unsigned inlen, void *);
+ static int ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len);
+ static int ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len);
+
+ static int ssl_quic_qc_index;
+ static int ssl_quic_hs_index;
private:
static void _register_stats();
--
To stop receiving notification emails like this one, please contact
masaori@apache.org.