You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/08/28 03:37:40 UTC
[trafficserver] 03/03: Reduce dependency for SSL from QUICHandshake
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit f694413937f4a380b71c677a07f76a7595d3918f
Author: Masakazu Kitajo <ma...@apache.org>
AuthorDate: Tue Aug 28 12:35:47 2018 +0900
Reduce dependency for SSL from QUICHandshake
---
iocore/net/QUICNetVConnection.cc | 6 ++++--
iocore/net/quic/Mock.h | 5 +++++
iocore/net/quic/QUICHandshake.cc | 25 +++++++++++-----------
iocore/net/quic/QUICHandshake.h | 5 ++---
iocore/net/quic/QUICHandshakeProtocol.h | 1 +
iocore/net/quic/QUICTLS.cc | 6 ++++++
iocore/net/quic/QUICTLS.h | 6 +++++-
iocore/net/quic/QUICTLS_openssl.cc | 10 +++++++--
iocore/net/quic/test/test_QUICHandshakeProtocol.cc | 4 ++--
9 files changed, 46 insertions(+), 22 deletions(-)
diff --git a/iocore/net/QUICNetVConnection.cc b/iocore/net/QUICNetVConnection.cc
index 2b833b3..6c0d1c4 100644
--- a/iocore/net/QUICNetVConnection.cc
+++ b/iocore/net/QUICNetVConnection.cc
@@ -32,6 +32,7 @@
#include "Log.h"
#include "P_SSLNextProtocolSet.h"
+#include "QUICTLS.h"
#include "QUICStats.h"
#include "QUICConfig.h"
@@ -204,9 +205,10 @@ QUICNetVConnection::start()
// Version 0x00000001 uses stream 0 for cryptographic handshake with TLS 1.3, but newer version may not
if (this->direction() == NET_VCONNECTION_IN) {
this->_reset_token.generate(this->_quic_connection_id, params->server_id());
- this->_handshake_handler = new QUICHandshake(this, params->server_ssl_ctx(), this->_reset_token, params->stateless_retry());
+ this->_handshake_handler = new QUICHandshake(this, new QUICTLS(params->server_ssl_ctx(), this->direction()), this->_reset_token,
+ params->stateless_retry());
} else {
- this->_handshake_handler = new QUICHandshake(this, params->client_ssl_ctx());
+ this->_handshake_handler = new QUICHandshake(this, new QUICTLS(params->client_ssl_ctx(), this->direction()));
this->_handshake_handler->start(&this->_packet_factory, params->vn_exercise_enabled());
this->_handshake_handler->do_handshake();
}
diff --git a/iocore/net/quic/Mock.h b/iocore/net/quic/Mock.h
index b282b8c..dff1afa 100644
--- a/iocore/net/quic/Mock.h
+++ b/iocore/net/quic/Mock.h
@@ -526,6 +526,11 @@ public:
return true;
}
+ void
+ reset() override
+ {
+ }
+
bool
is_handshake_finished() const override
{
diff --git a/iocore/net/quic/QUICHandshake.cc b/iocore/net/quic/QUICHandshake.cc
index dc5834e..b13028c 100644
--- a/iocore/net/quic/QUICHandshake.cc
+++ b/iocore/net/quic/QUICHandshake.cc
@@ -25,9 +25,6 @@
#include <utility>
-#include "P_SSLNextProtocolSet.h"
-#include "P_VConnection.h"
-
#include "QUICTLS.h"
#include "QUICEvents.h"
#include "QUICGlobals.h"
@@ -87,18 +84,22 @@ static constexpr int UDP_MAXIMUM_PAYLOAD_SIZE = 65527;
// TODO: fix size
static constexpr int MAX_HANDSHAKE_MSG_LEN = 65527;
-QUICHandshake::QUICHandshake(QUICConnection *qc, SSL_CTX *ssl_ctx) : QUICHandshake(qc, ssl_ctx, {}, false) {}
+QUICHandshake::QUICHandshake(QUICConnection *qc, QUICHandshakeProtocol *hsp) : QUICHandshake(qc, hsp, {}, false) {}
-QUICHandshake::QUICHandshake(QUICConnection *qc, SSL_CTX *ssl_ctx, QUICStatelessResetToken token, bool stateless_retry)
+QUICHandshake::QUICHandshake(QUICConnection *qc, QUICHandshakeProtocol *hsp, QUICStatelessResetToken token, bool stateless_retry)
: _qc(qc),
- _ssl(SSL_new(ssl_ctx)),
- _hs_protocol(new QUICTLS(this->_ssl, qc->direction())),
+ _hs_protocol(hsp),
_version_negotiator(new QUICVersionNegotiator()),
_reset_token(token),
_stateless_retry(stateless_retry)
{
- SSL_set_ex_data(this->_ssl, QUIC::ssl_quic_qc_index, qc);
- SSL_set_ex_data(this->_ssl, QUIC::ssl_quic_hs_index, this);
+ // FIXME These should be done in another way
+ if (dynamic_cast<QUICTLS *>(hsp)) {
+ SSL *ssl = static_cast<QUICTLS *>(hsp)->ssl_handle();
+ SSL_set_ex_data(ssl, QUIC::ssl_quic_qc_index, qc);
+ SSL_set_ex_data(ssl, QUIC::ssl_quic_hs_index, this);
+ }
+
this->_hs_protocol->initialize_key_materials(this->_qc->original_connection_id());
if (this->_qc->direction() == NET_VCONNECTION_OUT) {
@@ -108,7 +109,7 @@ QUICHandshake::QUICHandshake(QUICConnection *qc, SSL_CTX *ssl_ctx, QUICStateless
QUICHandshake::~QUICHandshake()
{
- SSL_free(this->_ssl);
+ delete this->_hs_protocol;
}
QUICErrorUPtr
@@ -188,7 +189,7 @@ QUICHandshake::is_version_negotiated() const
bool
QUICHandshake::is_completed() const
{
- return SSL_is_init_finished(this->_ssl);
+ return this->_hs_protocol->is_handshake_finished();
}
bool
@@ -308,7 +309,7 @@ void
QUICHandshake::reset()
{
this->_client_initial = true;
- SSL_clear(this->_ssl);
+ this->_hs_protocol->reset();
for (auto level : QUIC_ENCRYPTION_LEVELS) {
int index = static_cast<int>(level);
diff --git a/iocore/net/quic/QUICHandshake.h b/iocore/net/quic/QUICHandshake.h
index eb79f4a..c5ef75d 100644
--- a/iocore/net/quic/QUICHandshake.h
+++ b/iocore/net/quic/QUICHandshake.h
@@ -40,9 +40,9 @@ class QUICHandshake : public QUICFrameHandler, public QUICFrameGenerator
{
public:
// Constructor for client side
- QUICHandshake(QUICConnection *qc, SSL_CTX *ssl_ctx);
+ QUICHandshake(QUICConnection *qc, QUICHandshakeProtocol *hsp);
// Constructor for server side
- QUICHandshake(QUICConnection *qc, SSL_CTX *ssl_ctx, QUICStatelessResetToken token, bool stateless_retry);
+ QUICHandshake(QUICConnection *qc, QUICHandshakeProtocol *hsp, QUICStatelessResetToken token, bool stateless_retry);
~QUICHandshake();
// QUICFrameHandler
@@ -82,7 +82,6 @@ public:
private:
QUICConnection *_qc = nullptr;
- SSL *_ssl = nullptr;
QUICHandshakeProtocol *_hs_protocol = nullptr;
std::shared_ptr<QUICTransportParameters> _local_transport_parameters = nullptr;
std::shared_ptr<QUICTransportParameters> _remote_transport_parameters = nullptr;
diff --git a/iocore/net/quic/QUICHandshakeProtocol.h b/iocore/net/quic/QUICHandshakeProtocol.h
index 3627e41..abc4410 100644
--- a/iocore/net/quic/QUICHandshakeProtocol.h
+++ b/iocore/net/quic/QUICHandshakeProtocol.h
@@ -71,6 +71,7 @@ public:
virtual ~QUICHandshakeProtocol(){};
virtual int handshake(QUICHandshakeMsgs *out, const QUICHandshakeMsgs *in) = 0;
+ virtual void reset() = 0;
virtual bool is_handshake_finished() const = 0;
virtual bool is_ready_to_derive() const = 0;
virtual bool is_key_derived(QUICKeyPhase key_phase, bool for_encryption) const = 0;
diff --git a/iocore/net/quic/QUICTLS.cc b/iocore/net/quic/QUICTLS.cc
index 21b3599..bfbff38 100644
--- a/iocore/net/quic/QUICTLS.cc
+++ b/iocore/net/quic/QUICTLS.cc
@@ -31,6 +31,12 @@
constexpr static char tag[] = "quic_tls";
+SSL *
+QUICTLS::ssl_handle()
+{
+ return this->_ssl;
+}
+
QUICTLS::~QUICTLS()
{
SSL_free(this->_ssl);
diff --git a/iocore/net/quic/QUICTLS.h b/iocore/net/quic/QUICTLS.h
index d7c8cbc..7e040ac 100644
--- a/iocore/net/quic/QUICTLS.h
+++ b/iocore/net/quic/QUICTLS.h
@@ -39,7 +39,7 @@
class QUICTLS : public QUICHandshakeProtocol
{
public:
- QUICTLS(SSL *ssl, NetVConnectionContext_t nvc_ctx);
+ QUICTLS(SSL_CTX *ssl_ctx, NetVConnectionContext_t nvc_ctx);
~QUICTLS();
// TODO: integrate with _early_data_processed
@@ -50,7 +50,11 @@ public:
static QUICEncryptionLevel get_encryption_level(int msg_type);
+ // FIXME Should not exist
+ SSL *ssl_handle();
+
int handshake(QUICHandshakeMsgs *out, const QUICHandshakeMsgs *in) override;
+ void reset() override;
bool is_handshake_finished() const override;
bool is_ready_to_derive() const override;
bool is_key_derived(QUICKeyPhase key_phase, bool for_encryption) const override;
diff --git a/iocore/net/quic/QUICTLS_openssl.cc b/iocore/net/quic/QUICTLS_openssl.cc
index 319195b..6f3d25f 100644
--- a/iocore/net/quic/QUICTLS_openssl.cc
+++ b/iocore/net/quic/QUICTLS_openssl.cc
@@ -215,8 +215,8 @@ QUICTLS::update_key_materials_on_key_cb(std::unique_ptr<KeyMaterial> km, int nam
return;
}
-QUICTLS::QUICTLS(SSL *ssl, NetVConnectionContext_t nvc_ctx)
- : QUICHandshakeProtocol(), _ssl(ssl), _netvc_context(nvc_ctx)
+QUICTLS::QUICTLS(SSL_CTX *ssl_ctx, NetVConnectionContext_t nvc_ctx)
+ : QUICHandshakeProtocol(), _ssl(SSL_new(ssl_ctx)), _netvc_context(nvc_ctx)
{
ink_assert(this->_netvc_context != NET_VCONNECTION_UNSET);
@@ -303,6 +303,12 @@ QUICTLS::handshake(QUICHandshakeMsgs *out, const QUICHandshakeMsgs *in)
return 1;
}
+void
+QUICTLS::reset()
+{
+ SSL_clear(this->_ssl);
+}
+
int
QUICTLS::_read_early_data()
{
diff --git a/iocore/net/quic/test/test_QUICHandshakeProtocol.cc b/iocore/net/quic/test/test_QUICHandshakeProtocol.cc
index 22bbfe8..818cf8a 100644
--- a/iocore/net/quic/test/test_QUICHandshakeProtocol.cc
+++ b/iocore/net/quic/test/test_QUICHandshakeProtocol.cc
@@ -164,7 +164,7 @@ TEST_CASE("QUICHandshakeProtocol Full Handshake", "[quic]")
#ifdef SSL_MODE_QUIC_HACK
SSL_CTX_set_mode(client_ssl_ctx, SSL_MODE_QUIC_HACK);
#endif
- QUICHandshakeProtocol *client = new QUICTLS(SSL_new(client_ssl_ctx), NET_VCONNECTION_OUT);
+ QUICHandshakeProtocol *client = new QUICTLS(client_ssl_ctx, NET_VCONNECTION_OUT);
// Server
SSL_CTX *server_ssl_ctx = SSL_CTX_new(TLS_method());
@@ -180,7 +180,7 @@ TEST_CASE("QUICHandshakeProtocol Full Handshake", "[quic]")
BIO *key_bio(BIO_new_mem_buf(server_key, sizeof(server_key)));
EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key_bio, nullptr, nullptr, nullptr);
SSL_CTX_use_PrivateKey(server_ssl_ctx, pkey);
- QUICHandshakeProtocol *server = new QUICTLS(SSL_new(server_ssl_ctx), NET_VCONNECTION_IN);
+ QUICHandshakeProtocol *server = new QUICTLS(server_ssl_ctx, NET_VCONNECTION_IN);
BIO_free(crt_bio);
BIO_free(key_bio);