You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/03/19 01:32:16 UTC
[trafficserver] branch quic-latest updated: Separate stateless
cookie callbacks from QUICGlobal
This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/quic-latest by this push:
new 09f62d9 Separate stateless cookie callbacks from QUICGlobal
09f62d9 is described below
commit 09f62d9ffc55e6d18bbad8df76aa93bf37945a00
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Mon Mar 19 10:14:26 2018 +0900
Separate stateless cookie callbacks from QUICGlobal
QUICNetVconnection is used from these callbacks for getting client address. This made link issues in Unit Tests of QUIC.
---
iocore/net/QUICNetProcessor.cc | 8 +++
iocore/net/QUICPacketHandler.cc | 6 ---
iocore/net/quic/Makefile.am | 3 +-
iocore/net/quic/QUICGlobals.cc | 43 ----------------
iocore/net/quic/QUICGlobals.h | 2 -
.../quic/{QUICGlobals.cc => QUICStatelessRetry.cc} | 60 ++++------------------
.../quic/{QUICGlobals.h => QUICStatelessRetry.h} | 18 ++-----
7 files changed, 23 insertions(+), 117 deletions(-)
diff --git a/iocore/net/QUICNetProcessor.cc b/iocore/net/QUICNetProcessor.cc
index ed329b4..55c7b10 100644
--- a/iocore/net/QUICNetProcessor.cc
+++ b/iocore/net/QUICNetProcessor.cc
@@ -28,6 +28,7 @@
#include "QUICGlobals.h"
#include "QUICConfig.h"
#include "QUICTransportParameters.h"
+#include "QUICStatelessRetry.h"
//
// Global Data
@@ -67,6 +68,7 @@ QUICNetProcessor::start(int, size_t stacksize)
// This initialization order matters ...
// QUICInitializeLibrary();
QUICConfig::startup();
+ QUICStatelessRetry::init();
#ifdef TLS1_3_VERSION_DRAFT_TXT
// FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed
@@ -79,6 +81,7 @@ QUICNetProcessor::start(int, size_t stacksize)
// Initialize QUIC statistics. This depends on an initial set of certificates being loaded above.
// QUICInitializeStatistics();
+ // TODO: separate SSL_CTX for client and server
// TODO: load certs from SSLConfig
this->_ssl_ctx = SSL_CTX_new(TLS_method());
SSL_CTX_set_min_proto_version(this->_ssl_ctx, TLS1_3_VERSION);
@@ -94,6 +97,11 @@ QUICNetProcessor::start(int, size_t stacksize)
&QUICTransportParametersHandler::add, &QUICTransportParametersHandler::free, nullptr,
&QUICTransportParametersHandler::parse, nullptr);
+ // callbacks for cookie ext
+ // Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463
+ SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, QUICStatelessRetry::generate_cookie);
+ SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, QUICStatelessRetry::verify_cookie);
+
SSLConfig::scoped_config params;
SSLParseCertificateConfiguration(params, this->_ssl_ctx);
diff --git a/iocore/net/QUICPacketHandler.cc b/iocore/net/QUICPacketHandler.cc
index f5a3bbe..2561005 100644
--- a/iocore/net/QUICPacketHandler.cc
+++ b/iocore/net/QUICPacketHandler.cc
@@ -27,7 +27,6 @@
#include "QUICPacket.h"
#include "QUICDebugNames.h"
#include "QUICEvents.h"
-#include "QUICGlobals.h"
//
// QUICPacketHandler
@@ -95,11 +94,6 @@ QUICPacketHandlerIn::QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt,
// create Connection Table
QUICConfig::scoped_config params;
_ctable = new QUICConnectionTable(params->connection_table_size());
-
- // callbacks for cookie ext
- // Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463
- SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, QUIC::ssl_generate_stateless_cookie);
- SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, QUIC::ssl_verify_stateless_cookie);
}
QUICPacketHandlerIn::~QUICPacketHandlerIn()
diff --git a/iocore/net/quic/Makefile.am b/iocore/net/quic/Makefile.am
index 7898ddf..fcb8e6d 100644
--- a/iocore/net/quic/Makefile.am
+++ b/iocore/net/quic/Makefile.am
@@ -72,7 +72,8 @@ libquic_a_SOURCES = \
QUICDebugNames.cc \
QUICApplication.cc \
QUICApplicationMap.cc \
- QUICIncomingFrameBuffer.cc
+ QUICIncomingFrameBuffer.cc \
+ QUICStatelessRetry.cc
include $(top_srcdir)/build/tidy.mk
diff --git a/iocore/net/quic/QUICGlobals.cc b/iocore/net/quic/QUICGlobals.cc
index c843e9b..ceb4c95 100644
--- a/iocore/net/quic/QUICGlobals.cc
+++ b/iocore/net/quic/QUICGlobals.cc
@@ -25,11 +25,7 @@
#include <cstring>
-#include <openssl/hmac.h>
-#include <openssl/evp.h>
-
#include "P_SSLNextProtocolSet.h"
-#include "P_QUICNetVConnection.h"
#include "QUICStats.h"
#include "QUICConnection.h"
@@ -38,18 +34,12 @@ RecRawStatBlock *quic_rsb;
int QUIC::ssl_quic_qc_index = -1;
int QUIC::ssl_quic_hs_index = -1;
-static constexpr size_t STATELESS_COOKIE_SECRET_LENGTH = 16;
-static uint8_t stateless_cookie_secret[STATELESS_COOKIE_SECRET_LENGTH] = {0};
-
void
QUIC::init()
{
QUIC::_register_stats();
ssl_quic_qc_index = SSL_get_ex_new_index(0, (void *)"QUICConnection index", nullptr, nullptr, nullptr);
ssl_quic_hs_index = SSL_get_ex_new_index(0, (void *)"QUICHandshake index", nullptr, nullptr, nullptr);
-
- // TODO: read cookie secret from file like SSLTicketKeyConfig
- RAND_bytes(stateless_cookie_secret, STATELESS_COOKIE_SECRET_LENGTH);
}
int
@@ -70,39 +60,6 @@ QUIC::ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned cha
return SSL_TLSEXT_ERR_NOACK;
}
-int
-QUIC::ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len)
-{
- // Call UnixNetVConnection::get_remote_addr() safely
- // TODO: add APIs to getting client addr in QUICConnection
- QUICConnection *qc = static_cast<QUICConnection *>(SSL_get_ex_data(ssl, QUIC::ssl_quic_qc_index));
- QUICNetVConnection *qvc = dynamic_cast<QUICNetVConnection *>(qc);
-
- uint8_t key[INET6_ADDRPORTSTRLEN] = {0};
- size_t key_len = INET6_ADDRPORTSTRLEN;
- ats_ip_nptop(qvc->get_remote_addr(), reinterpret_cast<char *>(key), key_len);
-
- unsigned int dst_len = 0;
- HMAC(EVP_sha1(), stateless_cookie_secret, STATELESS_COOKIE_SECRET_LENGTH, key, key_len, cookie, &dst_len);
- *cookie_len = dst_len;
-
- return 1;
-}
-
-int
-QUIC::ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len)
-{
- uint8_t token[EVP_MAX_MD_SIZE];
- size_t token_len;
-
- if (QUIC::ssl_generate_stateless_cookie(ssl, token, &token_len) && cookie_len == token_len &&
- memcmp(token, cookie, cookie_len) == 0) {
- return 1;
- } else {
- return 0;
- }
-}
-
void
QUIC::_register_stats()
{
diff --git a/iocore/net/quic/QUICGlobals.h b/iocore/net/quic/QUICGlobals.h
index 26f2e1b..379fa18 100644
--- a/iocore/net/quic/QUICGlobals.h
+++ b/iocore/net/quic/QUICGlobals.h
@@ -33,8 +33,6 @@ public:
// SSL callbacks
static int ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in,
unsigned inlen, void *);
- static int ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len);
- static int ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len);
static int ssl_quic_qc_index;
static int ssl_quic_hs_index;
diff --git a/iocore/net/quic/QUICGlobals.cc b/iocore/net/quic/QUICStatelessRetry.cc
similarity index 51%
copy from iocore/net/quic/QUICGlobals.cc
copy to iocore/net/quic/QUICStatelessRetry.cc
index c843e9b..700b8c7 100644
--- a/iocore/net/quic/QUICGlobals.cc
+++ b/iocore/net/quic/QUICStatelessRetry.cc
@@ -1,6 +1,6 @@
/** @file
*
- * A brief file description
+ * Callbacks for Stateless Retry
*
* @section license License
*
@@ -21,57 +21,29 @@
* limitations under the License.
*/
-#include "QUICGlobals.h"
-
-#include <cstring>
+#include "QUICStatelessRetry.h"
#include <openssl/hmac.h>
#include <openssl/evp.h>
+#include <openssl/rand.h>
-#include "P_SSLNextProtocolSet.h"
#include "P_QUICNetVConnection.h"
-#include "QUICStats.h"
-#include "QUICConnection.h"
-RecRawStatBlock *quic_rsb;
-
-int QUIC::ssl_quic_qc_index = -1;
-int QUIC::ssl_quic_hs_index = -1;
+#include "QUICGlobals.h"
+#include "QUICConnection.h"
static constexpr size_t STATELESS_COOKIE_SECRET_LENGTH = 16;
static uint8_t stateless_cookie_secret[STATELESS_COOKIE_SECRET_LENGTH] = {0};
void
-QUIC::init()
+QUICStatelessRetry::init()
{
- QUIC::_register_stats();
- ssl_quic_qc_index = SSL_get_ex_new_index(0, (void *)"QUICConnection index", nullptr, nullptr, nullptr);
- ssl_quic_hs_index = SSL_get_ex_new_index(0, (void *)"QUICHandshake index", nullptr, nullptr, nullptr);
-
// TODO: read cookie secret from file like SSLTicketKeyConfig
RAND_bytes(stateless_cookie_secret, STATELESS_COOKIE_SECRET_LENGTH);
}
int
-QUIC::ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned inlen,
- void *)
-{
- const unsigned char *npn;
- unsigned npnsz = 0;
- QUICConnection *qc = static_cast<QUICConnection *>(SSL_get_ex_data(ssl, QUIC::ssl_quic_qc_index));
-
- qc->next_protocol_set()->advertiseProtocols(&npn, &npnsz);
- if (SSL_select_next_proto((unsigned char **)out, outlen, npn, npnsz, in, inlen) == OPENSSL_NPN_NEGOTIATED) {
- return SSL_TLSEXT_ERR_OK;
- }
-
- *out = nullptr;
- *outlen = 0;
- return SSL_TLSEXT_ERR_NOACK;
-}
-
-int
-QUIC::ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len)
+QUICStatelessRetry::generate_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len)
{
// Call UnixNetVConnection::get_remote_addr() safely
// TODO: add APIs to getting client addr in QUICConnection
@@ -90,29 +62,15 @@ QUIC::ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *coo
}
int
-QUIC::ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len)
+QUICStatelessRetry::verify_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len)
{
uint8_t token[EVP_MAX_MD_SIZE];
size_t token_len;
- if (QUIC::ssl_generate_stateless_cookie(ssl, token, &token_len) && cookie_len == token_len &&
+ if (QUICStatelessRetry::generate_cookie(ssl, token, &token_len) && cookie_len == token_len &&
memcmp(token, cookie, cookie_len) == 0) {
return 1;
} else {
return 0;
}
}
-
-void
-QUIC::_register_stats()
-{
- quic_rsb = RecAllocateRawStatBlock(static_cast<int>(QUICStats::count));
-
- // Transfered packet counts
- RecRegisterRawStat(quic_rsb, RECT_PROCESS, "proxy.process.quic.total_packets_sent", RECD_INT, RECP_PERSISTENT,
- static_cast<int>(QUICStats::total_packets_sent_stat), RecRawStatSyncSum);
- // RecRegisterRawStat(quic_rsb, RECT_PROCESS, "proxy.process.quic.total_packets_retransmitted", RECD_INT, RECP_PERSISTENT,
- // static_cast<int>(quic_total_packets_retransmitted_stat), RecRawStatSyncSum);
- // RecRegisterRawStat(quic_rsb, RECT_PROCESS, "proxy.process.quic.total_packets_received", RECD_INT, RECP_PERSISTENT,
- // static_cast<int>(quic_total_packets_received_stat), RecRawStatSyncSum);
-}
diff --git a/iocore/net/quic/QUICGlobals.h b/iocore/net/quic/QUICStatelessRetry.h
similarity index 63%
copy from iocore/net/quic/QUICGlobals.h
copy to iocore/net/quic/QUICStatelessRetry.h
index 26f2e1b..a63081b 100644
--- a/iocore/net/quic/QUICGlobals.h
+++ b/iocore/net/quic/QUICStatelessRetry.h
@@ -1,6 +1,6 @@
/** @file
*
- * QUIC Globals
+ * Callbacks for Stateless Retry
*
* @section license License
*
@@ -25,20 +25,10 @@
#include <openssl/ssl.h>
-class QUIC
+class QUICStatelessRetry
{
public:
static void init();
-
- // SSL callbacks
- static int ssl_select_next_protocol(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in,
- unsigned inlen, void *);
- static int ssl_generate_stateless_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len);
- static int ssl_verify_stateless_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len);
-
- static int ssl_quic_qc_index;
- static int ssl_quic_hs_index;
-
-private:
- static void _register_stats();
+ static int generate_cookie(SSL *ssl, unsigned char *cookie, size_t *cookie_len);
+ static int verify_cookie(SSL *ssl, const unsigned char *cookie, size_t cookie_len);
};
--
To stop receiving notification emails like this one, please contact
masaori@apache.org.