Revert "[TS-3153]: Ability to disable or modify npn advertisement based on SNI"
This reverts commit 24262d8f6a14b6bb7bf7288f6309a68f6dc8589b. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a0bad98e Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a0bad98e Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a0bad98e Branch: refs/heads/master Commit: a0bad98ec17c441ce8a44e181005df03630b469d Parents: d839f21 Author: Sudheer Vinukonda <[email protected]> Authored: Wed Nov 19 16:23:54 2014 +0000 Committer: Sudheer Vinukonda <[email protected]> Committed: Wed Nov 19 16:23:54 2014 +0000 ---------------------------------------------------------------------- configure.ac | 1 - iocore/net/P_SSLNetVConnection.h | 6 - iocore/net/SSLNetVConnection.cc | 82 +------- iocore/net/SSLUtils.cc | 5 - plugins/experimental/Makefile.am | 1 - plugins/experimental/sni_proto_nego/Makefile.am | 21 -- .../sni_proto_nego/sni_proto_nego.cc | 194 ------------------- proxy/InkAPI.cc | 10 - proxy/api/ts/ts.h | 1 - 9 files changed, 1 insertion(+), 320 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/configure.ac ---------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index 91e9874..3e4465b 100644 --- a/configure.ac +++ b/configure.ac @@ -1945,7 +1945,6 @@ AS_IF([test "x$enable_experimental_plugins" = xyes], [ plugins/experimental/regex_revalidate/Makefile plugins/experimental/remap_stats/Makefile plugins/experimental/s3_auth/Makefile - plugins/experimental/sni_proto_nego/Makefile plugins/experimental/sslheaders/Makefile plugins/experimental/ssl_cert_loader/Makefile plugins/experimental/stale_while_revalidate/Makefile http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/iocore/net/P_SSLNetVConnection.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 1dc7071..c481c8b 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -122,9 +122,6 @@ public: static int advertise_next_protocol(SSL * ssl, const unsigned char ** out, unsigned * outlen, void *); static int select_next_protocol(SSL * ssl, const unsigned char ** out, unsigned char * outlen, const unsigned char * in, unsigned inlen, void *); - bool modify_npn_advertisement(const unsigned char ** list, unsigned cnt); - bool setAdvertiseProtocols(const unsigned char ** list, unsigned cnt); - Continuation * endpoint() const { return npnEndpoint; } @@ -201,9 +198,6 @@ private: const SSLNextProtocolSet * npnSet; Continuation * npnEndpoint; - unsigned char * npnAdvertised; - size_t npnszAdvertised; - int npnAdvertisedBufIndex; }; typedef int (SSLNetVConnection::*SSLNetVConnHandler) (int, void *); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 60fcbf9..4a9ec29 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -27,8 +27,6 @@ #include "P_SSLUtils.h" #include "InkAPIInternal.h" // Added to include the ssl_hook definitions -extern unsigned char * append_protocol(const char * proto, unsigned char * buf); - // Defined in SSLInternal.c, should probably make a separate include // file for this at some point void SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio); @@ -778,10 +776,7 @@ SSLNetVConnection::SSLNetVConnection(): sslPreAcceptHookState(SSL_HOOKS_INIT), sslSNIHookState(SNI_HOOKS_INIT), npnSet(NULL), - npnEndpoint(NULL), - npnAdvertised(NULL), - npnszAdvertised(0), - npnAdvertisedBufIndex(-1) + npnEndpoint(NULL) { } @@ -820,9 +815,6 @@ SSLNetVConnection::free(EThread * t) { hookOpRequested = TS_SSL_HOOK_OP_DEFAULT; npnSet = NULL; npnEndpoint= NULL; - npnAdvertised = NULL; - npnszAdvertised = 0; - npnAdvertisedBufIndex = -1; if (from_accept_thread) { sslNetVCAllocator.free(this); @@ -1168,14 +1160,6 @@ SSLNetVConnection::advertise_next_protocol(SSL *ssl, const unsigned char **out, ink_release_assert(netvc != NULL); - // check if there's a SNI based customized advertisement - if (netvc->npnAdvertised && netvc->npnszAdvertised) { - *out = netvc->npnAdvertised; - *outlen = netvc->npnszAdvertised; - return SSL_TLSEXT_ERR_OK; - } - - // use default endPoint advertisement if (netvc->npnSet && netvc->npnSet->advertiseProtocols(out, outlen)) { // Successful return tells OpenSSL to advertise. return SSL_TLSEXT_ERR_OK; @@ -1184,70 +1168,6 @@ SSLNetVConnection::advertise_next_protocol(SSL *ssl, const unsigned char **out, return SSL_TLSEXT_ERR_NOACK; } -bool -SSLNetVConnection::modify_npn_advertisement(const unsigned char ** list, unsigned cnt) -{ - unsigned char* advertised = npnAdvertised; - - for (unsigned int i=0; i<cnt; i++) { - const char* proto = (const char*) list[i]; - Debug("ssl", "advertising protocol %s", proto); - advertised = append_protocol(proto, advertised); - } - - return true; -} - -bool -SSLNetVConnection::setAdvertiseProtocols(const unsigned char ** list, unsigned cnt) -{ - size_t total_len = 0; - - if (cnt == 0) { - // set default list based on server_ports config - if (npnAdvertised) { - ink_assert (npnAdvertisedBufIndex >= 0); - ioBufAllocator[npnAdvertisedBufIndex].free_void(npnAdvertised); - npnAdvertised = NULL; - npnszAdvertised = 0; - npnAdvertisedBufIndex = -1; - } - return true; - } - - // validate the modified npn list - for (unsigned int i=0; i<cnt; i++) { - const char* proto = (const char*) list[i]; - size_t len = strlen(proto); - - // Both ALPN and NPN only allow 255 bytes of protocol name. - if (len > 255) { - return false; - } - - if (!npnSet->findEndpoint((const unsigned char *)proto, len)) { - return false; - } - total_len += (len + 1); - } - - if (npnAdvertised) { - ink_assert (npnAdvertisedBufIndex >= 0); - ioBufAllocator[npnAdvertisedBufIndex].free_void(npnAdvertised); - } - - npnszAdvertised = total_len; - npnAdvertisedBufIndex = buffer_size_to_index(npnszAdvertised); - npnAdvertised = (unsigned char *)ioBufAllocator[npnAdvertisedBufIndex].alloc_void(); - if (npnAdvertised == NULL) { - npnszAdvertised = 0; - npnAdvertisedBufIndex = -1; - return false; - } - - return modify_npn_advertisement(list, cnt); -} - // ALPN TLS extension callback. Given the client's set of offered // protocols, we have to select a protocol to use for this session. int http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 1755c0c..3033fcc 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -307,11 +307,6 @@ ssl_servername_callback(SSL * ssl, int * ad, void * /*arg*/) goto done; } - // set the default -#if TS_USE_TLS_NPN - SSL_CTX_set_next_protos_advertised_cb(ctx, SSLNetVConnection::advertise_next_protocol, NULL); -#endif /* TS_USE_TLS_NPN */ - // Call the plugin SNI code reenabled = netvc->callHooks(TS_SSL_SNI_HOOK); // If it did not re-enable, return the code to http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/plugins/experimental/Makefile.am ---------------------------------------------------------------------- diff --git a/plugins/experimental/Makefile.am b/plugins/experimental/Makefile.am index 091557d..51b06f0 100644 --- a/plugins/experimental/Makefile.am +++ b/plugins/experimental/Makefile.am @@ -33,7 +33,6 @@ SUBDIRS = \ regex_revalidate \ remap_stats \ s3_auth \ - sni_proto_nego \ ssl_cert_loader \ sslheaders \ stale_while_revalidate \ http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/plugins/experimental/sni_proto_nego/Makefile.am ---------------------------------------------------------------------- diff --git a/plugins/experimental/sni_proto_nego/Makefile.am b/plugins/experimental/sni_proto_nego/Makefile.am deleted file mode 100644 index 958634c..0000000 --- a/plugins/experimental/sni_proto_nego/Makefile.am +++ /dev/null @@ -1,21 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -include $(top_srcdir)/build/plugins.mk - -pkglib_LTLIBRARIES = sni_proto_nego.la -sni_proto_nego_la_SOURCES = sni_proto_nego.cc -sni_proto_nego_la_LDFLAGS = $(TS_PLUGIN_LDFLAGS) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/plugins/experimental/sni_proto_nego/sni_proto_nego.cc ---------------------------------------------------------------------- diff --git a/plugins/experimental/sni_proto_nego/sni_proto_nego.cc b/plugins/experimental/sni_proto_nego/sni_proto_nego.cc deleted file mode 100644 index cd1f4db..0000000 --- a/plugins/experimental/sni_proto_nego/sni_proto_nego.cc +++ /dev/null @@ -1,194 +0,0 @@ -#include <stdio.h> -#include <ts/ts.h> -#include <ts/apidefs.h> -#include <openssl/ssl.h> -#include <string> -#include <map> -#include <string.h> - -using namespace std; - -const char* PLUGIN_NAME = "sni_proto_nego"; -const int MAX_BUFFER_SIZE = 1024; -const int MAX_FILE_PATH_SIZE = 1024; -const unsigned int MAX_PROTO_LIST_LEN = 100; -const unsigned int MAX_PROTO_NAME_LEN = 255; - -typedef struct { - bool enableNpn; - unsigned int npn_proto_list_count; - unsigned char npn_proto_list [MAX_PROTO_LIST_LEN] [MAX_PROTO_NAME_LEN]; -} SNIProtoConfig; - -typedef map<string, SNIProtoConfig> stringMap; -static stringMap _sniProtoMap; - -static -bool read_config(char* config_file) { - char file_path[MAX_FILE_PATH_SIZE]; - TSFile file; - if (config_file == NULL) { - TSError("invalid config file"); - return false; - } - TSDebug(PLUGIN_NAME, "trying to open config file in this path: %s", file_path); - file = TSfopen(config_file, "r"); - if (file == NULL) { - snprintf(file_path, sizeof(file_path), "%s/%s", TSInstallDirGet(), config_file); - file = TSfopen(file_path, "r"); - if (file == NULL) { - TSError("Failed to open config file %s", config_file); - return false; - } - } - char buffer[MAX_BUFFER_SIZE]; - memset(buffer, 0, sizeof(buffer)); - while (TSfgets(file, buffer, sizeof(buffer) - 1) != NULL) { - char *eol = 0; - // make sure line was not bigger than buffer - if ((eol = strchr(buffer, '\n')) == NULL && (eol = strstr(buffer, "\r\n")) == NULL) { - TSError("sni_proto_nego line too long, did not get a good line in cfg, skipping, line: %s", buffer); - memset(buffer, 0, sizeof(buffer)); - continue; - } - // make sure line has something useful on it - if (eol - buffer < 2 || buffer[0] == '#') { - memset(buffer, 0, sizeof(buffer)); - continue; - } - char* cfg = strtok(buffer, "\n\r\n"); - - if (cfg != NULL) { - TSDebug(PLUGIN_NAME, "setting SniProto based on string: %s", cfg); - - char* domain = strtok(buffer, " "); - SNIProtoConfig sniProtoConfig = {1, 1}; - - if (domain) { - if ((*domain == '*') && (domain+1) && (*(domain+1)=='.')) { - domain += 2; - if (domain == NULL) { - continue; - } - } - char* sni_proto_config = strtok (NULL, " "); - if (sni_proto_config) { - sniProtoConfig.enableNpn = atoi(sni_proto_config); - TSDebug(PLUGIN_NAME, "npn_proto_config %d", sniProtoConfig.enableNpn); - sni_proto_config = strtok (NULL, " "); - // now get the npn proto advertisment list - sni_proto_config = strtok (NULL, " "); - sniProtoConfig.npn_proto_list_count = 0; - while (sni_proto_config != NULL) { - char* proto = strtok(NULL, "|"); - if ((proto == NULL) || - (sniProtoConfig.npn_proto_list_count >= MAX_PROTO_LIST_LEN) || - (strlen(proto) >= MAX_PROTO_NAME_LEN)) { - break; - } - _TSstrlcpy((char*)sniProtoConfig.npn_proto_list[sniProtoConfig.npn_proto_list_count++], proto, (strlen(proto) + 1)); - } - } - _sniProtoMap.insert(make_pair(domain, sniProtoConfig)); - } - - memset(buffer, 0, sizeof(buffer)); - } - } - - TSfclose(file); - - TSDebug(PLUGIN_NAME, "Done parsing config"); - - return true; -} - - -static void -init_sni_callback(void *sslNetVC) -{ - TSVConn ssl_vc = reinterpret_cast<TSVConn>(sslNetVC); - TSSslConnection sslobj = TSVConnSSLConnectionGet(ssl_vc); - SSL *ssl = reinterpret_cast<SSL *>(sslobj); - const char *serverName = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - SSL_CTX * ctx = SSL_get_SSL_CTX(ssl); - - if (serverName == NULL) { - TSDebug(PLUGIN_NAME, "invalid ssl netVC %p, servername %s for ssl obj %p", sslNetVC, serverName, ssl); - return; - } - - TSDebug(PLUGIN_NAME, "ssl netVC %p, servername %s for ssl obj %p", sslNetVC, serverName, ssl); - - stringMap::iterator it; - it=_sniProtoMap.find(serverName); - - // check for wild-card domains - if(it==_sniProtoMap.end()) { - char* domain = strstr((char*)serverName, "."); - if (domain && (domain+1)) { - it=_sniProtoMap.find(domain+1); - } - } - - if (it!=_sniProtoMap.end()) { - SNIProtoConfig sniProtoConfig = it->second; - if (!sniProtoConfig.enableNpn) { - TSDebug(PLUGIN_NAME, "disabling NPN for serverName %s", serverName); - SSL_CTX_set_next_protos_advertised_cb(ctx, NULL, NULL); - } else { - TSDebug(PLUGIN_NAME, "setting NPN advertised list for %s", serverName); - TSSslAdvertiseProtocolSet(ssl_vc, (const unsigned char **)sniProtoConfig.npn_proto_list, sniProtoConfig.npn_proto_list_count); - } - } else { - TSDebug(PLUGIN_NAME, "setting NPN advertised list for %s", serverName); - TSSslAdvertiseProtocolSet(ssl_vc, NULL, 0); - } -} - -int -SSLSniInitCallbackHandler(TSCont cont, TSEvent id, void* sslNetVC) { - (void) cont; - TSDebug(PLUGIN_NAME, "SSLSniInitCallbackHandler with id %d", id); - switch (id) { - case TS_SSL_SNI_HOOK: - { - init_sni_callback(sslNetVC); - } - break; - - default: - TSDebug(PLUGIN_NAME, "Unexpected event %d", id); - break; - } - - return TS_EVENT_NONE; -} - -void -TSPluginInit(int argc, const char *argv[]) -{ - (void) argc; - TSPluginRegistrationInfo info; - - info.plugin_name = (char *)("sni_proto_nego"); - info.vendor_name = (char *)("ats"); - - if (TSPluginRegister(TS_SDK_VERSION_3_0, &info) != TS_SUCCESS) { - TSError("Plugin registration failed."); - } - - char* config_file = (char*)"conf/sni_proto_nego/sni_proto_nego.config"; - - if (argc >= 2) { - config_file = (char*)argv[1]; - } - - if (!read_config(config_file)) { - TSDebug(PLUGIN_NAME, "nothing to do.."); - return; - } - - TSCont cont = TSContCreate(SSLSniInitCallbackHandler, NULL); - TSHttpHookAdd(TS_SSL_SNI_HOOK, cont); -} http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/proxy/InkAPI.cc ---------------------------------------------------------------------- diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc index d61e997..62f0870 100644 --- a/proxy/InkAPI.cc +++ b/proxy/InkAPI.cc @@ -8757,16 +8757,6 @@ tsapi int TSVConnIsSsl(TSVConn sslp) return ssl_vc != NULL; } -tsapi TSReturnCode -TSSslAdvertiseProtocolSet(TSVConn sslp, const unsigned char ** list, unsigned int count) -{ - NetVConnection *vc = reinterpret_cast<NetVConnection*>(sslp); - SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection*>(vc); - sdk_assert(sdk_sanity_check_null_ptr((void*)ssl_vc) == TS_SUCCESS); - ssl_vc->setAdvertiseProtocols(list, count); - return TS_SUCCESS; -} - void TSVConnReenable(TSVConn vconn) { http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a0bad98e/proxy/api/ts/ts.h ---------------------------------------------------------------------- diff --git a/proxy/api/ts/ts.h b/proxy/api/ts/ts.h index 8950b5c..b5b0abe 100644 --- a/proxy/api/ts/ts.h +++ b/proxy/api/ts/ts.h @@ -1238,7 +1238,6 @@ extern "C" tsapi TSSslContext TSSslContextFindByAddr(struct sockaddr const*); // Returns 1 if the sslp argument refers to a SSL connection tsapi int TSVConnIsSsl(TSVConn sslp); - tsapi TSReturnCode TSSslAdvertiseProtocolSet(TSVConn sslp, const unsigned char ** list, unsigned int count); /* -------------------------------------------------------------------------- HTTP transactions */
