You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/08/14 06:00:24 UTC
[trafficserver] branch quic-latest updated: Check state of
handshake before change encryption level
This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/quic-latest by this push:
new a9a6890 Check state of handshake before change encryption level
a9a6890 is described below
commit a9a689061d75b1024bba6eff25170aa1705b8a0e
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Tue Aug 14 14:47:09 2018 +0900
Check state of handshake before change encryption level
To avoid sending CONNECTION_CLOSE (TRANSPORT_PARAMETER_ERROR) on 1-RTT packet when
handshake is aborted by TP validation.
---
iocore/net/quic/QUICHandshake.cc | 2 ++
iocore/net/quic/QUICHandshakeProtocol.h | 1 +
iocore/net/quic/QUICTLS.cc | 8 ++++++++
iocore/net/quic/QUICTLS.h | 8 ++++++++
iocore/net/quic/QUICTLS_openssl.cc | 6 +++++-
5 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/iocore/net/quic/QUICHandshake.cc b/iocore/net/quic/QUICHandshake.cc
index f6ea128..637b8cc 100644
--- a/iocore/net/quic/QUICHandshake.cc
+++ b/iocore/net/quic/QUICHandshake.cc
@@ -471,5 +471,7 @@ QUICHandshake::_abort_handshake(QUICTransErrorCode code)
{
QUICHSDebug("Abort Handshake");
+ this->_hs_protocol->abort_handshake();
+
this->_qc->close(QUICConnectionErrorUPtr(new QUICConnectionError(code)));
}
diff --git a/iocore/net/quic/QUICHandshakeProtocol.h b/iocore/net/quic/QUICHandshakeProtocol.h
index 9556155..88dc369 100644
--- a/iocore/net/quic/QUICHandshakeProtocol.h
+++ b/iocore/net/quic/QUICHandshakeProtocol.h
@@ -85,4 +85,5 @@ public:
virtual bool decrypt_pn(uint8_t *unprotected_pn, uint8_t &unprotected_pn_len, const uint8_t *protected_pn,
uint8_t protected_pn_len, const uint8_t *sample, QUICKeyPhase phase) const = 0;
virtual QUICEncryptionLevel current_encryption_level() const = 0;
+ virtual void abort_handshake() = 0;
};
diff --git a/iocore/net/quic/QUICTLS.cc b/iocore/net/quic/QUICTLS.cc
index 862c25d..fb8803e 100644
--- a/iocore/net/quic/QUICTLS.cc
+++ b/iocore/net/quic/QUICTLS.cc
@@ -129,6 +129,14 @@ QUICTLS::current_encryption_level() const
}
void
+QUICTLS::abort_handshake()
+{
+ this->_state = HandshakeState::ABORTED;
+
+ return;
+}
+
+void
QUICTLS::_update_encryption_level(QUICEncryptionLevel level)
{
if (this->_current_level < level) {
diff --git a/iocore/net/quic/QUICTLS.h b/iocore/net/quic/QUICTLS.h
index c070cbb..81fd96d 100644
--- a/iocore/net/quic/QUICTLS.h
+++ b/iocore/net/quic/QUICTLS.h
@@ -43,6 +43,12 @@ public:
QUICTLS(SSL *ssl, NetVConnectionContext_t nvc_ctx, bool stateless);
~QUICTLS();
+ // TODO: integrate with _early_data_processed
+ enum class HandshakeState {
+ PROCESSING,
+ ABORTED,
+ };
+
static QUICEncryptionLevel get_encryption_level(int msg_type);
int handshake(QUICHandshakeMsgs *out, const QUICHandshakeMsgs *in) override;
@@ -61,6 +67,7 @@ public:
bool decrypt_pn(uint8_t *unprotected_pn, uint8_t &unprotected_pn_len, const uint8_t *protected_pn, uint8_t protected_pn_len,
const uint8_t *sample, QUICKeyPhase phase) const override;
QUICEncryptionLevel current_encryption_level() const override;
+ void abort_handshake() override;
// FIXME SSL handle should not be exported
SSL *ssl_handle();
@@ -95,4 +102,5 @@ private:
bool _early_data_processed = false;
bool _early_data = true;
QUICEncryptionLevel _current_level = QUICEncryptionLevel::INITIAL;
+ HandshakeState _state = HandshakeState::PROCESSING;
};
diff --git a/iocore/net/quic/QUICTLS_openssl.cc b/iocore/net/quic/QUICTLS_openssl.cc
index 7cb1a7a..9c1be67 100644
--- a/iocore/net/quic/QUICTLS_openssl.cc
+++ b/iocore/net/quic/QUICTLS_openssl.cc
@@ -183,6 +183,10 @@ key_cb(SSL *ssl, int name, const unsigned char *secret, size_t secret_len, const
void
QUICTLS::update_key_materials_on_key_cb(std::unique_ptr<KeyMaterial> km, int name)
{
+ if (this->_state == HandshakeState::ABORTED) {
+ return;
+ }
+
switch (name) {
case SSL_KEY_CLIENT_EARLY_TRAFFIC:
// this->_update_encryption_level(QUICEncryptionLevel::ZERO_RTT);
@@ -251,7 +255,7 @@ int
QUICTLS::handshake(QUICHandshakeMsgs *out, const QUICHandshakeMsgs *in)
{
ink_assert(this->_ssl != nullptr);
- if (SSL_is_init_finished(this->_ssl)) {
+ if (SSL_is_init_finished(this->_ssl) || this->_state == HandshakeState::ABORTED) {
return 0;
}