You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/08/14 06:00:24 UTC

[trafficserver] branch quic-latest updated: Check state of handshake before change encryption level

This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/quic-latest by this push:
     new a9a6890  Check state of handshake before change encryption level
a9a6890 is described below

commit a9a689061d75b1024bba6eff25170aa1705b8a0e
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Tue Aug 14 14:47:09 2018 +0900

    Check state of handshake before change encryption level
    
    To avoid sending CONNECTION_CLOSE (TRANSPORT_PARAMETER_ERROR) on 1-RTT packet when
    handshake is aborted by TP validation.
---
 iocore/net/quic/QUICHandshake.cc        | 2 ++
 iocore/net/quic/QUICHandshakeProtocol.h | 1 +
 iocore/net/quic/QUICTLS.cc              | 8 ++++++++
 iocore/net/quic/QUICTLS.h               | 8 ++++++++
 iocore/net/quic/QUICTLS_openssl.cc      | 6 +++++-
 5 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/iocore/net/quic/QUICHandshake.cc b/iocore/net/quic/QUICHandshake.cc
index f6ea128..637b8cc 100644
--- a/iocore/net/quic/QUICHandshake.cc
+++ b/iocore/net/quic/QUICHandshake.cc
@@ -471,5 +471,7 @@ QUICHandshake::_abort_handshake(QUICTransErrorCode code)
 {
   QUICHSDebug("Abort Handshake");
 
+  this->_hs_protocol->abort_handshake();
+
   this->_qc->close(QUICConnectionErrorUPtr(new QUICConnectionError(code)));
 }
diff --git a/iocore/net/quic/QUICHandshakeProtocol.h b/iocore/net/quic/QUICHandshakeProtocol.h
index 9556155..88dc369 100644
--- a/iocore/net/quic/QUICHandshakeProtocol.h
+++ b/iocore/net/quic/QUICHandshakeProtocol.h
@@ -85,4 +85,5 @@ public:
   virtual bool decrypt_pn(uint8_t *unprotected_pn, uint8_t &unprotected_pn_len, const uint8_t *protected_pn,
                           uint8_t protected_pn_len, const uint8_t *sample, QUICKeyPhase phase) const   = 0;
   virtual QUICEncryptionLevel current_encryption_level() const                                         = 0;
+  virtual void abort_handshake()                                                                       = 0;
 };
diff --git a/iocore/net/quic/QUICTLS.cc b/iocore/net/quic/QUICTLS.cc
index 862c25d..fb8803e 100644
--- a/iocore/net/quic/QUICTLS.cc
+++ b/iocore/net/quic/QUICTLS.cc
@@ -129,6 +129,14 @@ QUICTLS::current_encryption_level() const
 }
 
 void
+QUICTLS::abort_handshake()
+{
+  this->_state = HandshakeState::ABORTED;
+
+  return;
+}
+
+void
 QUICTLS::_update_encryption_level(QUICEncryptionLevel level)
 {
   if (this->_current_level < level) {
diff --git a/iocore/net/quic/QUICTLS.h b/iocore/net/quic/QUICTLS.h
index c070cbb..81fd96d 100644
--- a/iocore/net/quic/QUICTLS.h
+++ b/iocore/net/quic/QUICTLS.h
@@ -43,6 +43,12 @@ public:
   QUICTLS(SSL *ssl, NetVConnectionContext_t nvc_ctx, bool stateless);
   ~QUICTLS();
 
+  // TODO: integrate with _early_data_processed
+  enum class HandshakeState {
+    PROCESSING,
+    ABORTED,
+  };
+
   static QUICEncryptionLevel get_encryption_level(int msg_type);
 
   int handshake(QUICHandshakeMsgs *out, const QUICHandshakeMsgs *in) override;
@@ -61,6 +67,7 @@ public:
   bool decrypt_pn(uint8_t *unprotected_pn, uint8_t &unprotected_pn_len, const uint8_t *protected_pn, uint8_t protected_pn_len,
                   const uint8_t *sample, QUICKeyPhase phase) const override;
   QUICEncryptionLevel current_encryption_level() const override;
+  void abort_handshake() override;
 
   // FIXME SSL handle should not be exported
   SSL *ssl_handle();
@@ -95,4 +102,5 @@ private:
   bool _early_data_processed             = false;
   bool _early_data                       = true;
   QUICEncryptionLevel _current_level     = QUICEncryptionLevel::INITIAL;
+  HandshakeState _state                  = HandshakeState::PROCESSING;
 };
diff --git a/iocore/net/quic/QUICTLS_openssl.cc b/iocore/net/quic/QUICTLS_openssl.cc
index 7cb1a7a..9c1be67 100644
--- a/iocore/net/quic/QUICTLS_openssl.cc
+++ b/iocore/net/quic/QUICTLS_openssl.cc
@@ -183,6 +183,10 @@ key_cb(SSL *ssl, int name, const unsigned char *secret, size_t secret_len, const
 void
 QUICTLS::update_key_materials_on_key_cb(std::unique_ptr<KeyMaterial> km, int name)
 {
+  if (this->_state == HandshakeState::ABORTED) {
+    return;
+  }
+
   switch (name) {
   case SSL_KEY_CLIENT_EARLY_TRAFFIC:
     // this->_update_encryption_level(QUICEncryptionLevel::ZERO_RTT);
@@ -251,7 +255,7 @@ int
 QUICTLS::handshake(QUICHandshakeMsgs *out, const QUICHandshakeMsgs *in)
 {
   ink_assert(this->_ssl != nullptr);
-  if (SSL_is_init_finished(this->_ssl)) {
+  if (SSL_is_init_finished(this->_ssl) || this->_state == HandshakeState::ABORTED) {
     return 0;
   }