This is an automated email from the ASF dual-hosted git repository. masaori pushed a commit to branch quic-latest in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 2389503983f52fc0914d473489e768596eb51321 Author: Masaori Koshiba <[email protected]> AuthorDate: Mon Mar 26 14:45:11 2018 +0900 Add suported_group configs --- iocore/net/QUICNetProcessor.cc | 6 ++++-- iocore/net/quic/QUICConfig.cc | 46 +++++++++++++++++++++++++++++++++--------- iocore/net/quic/QUICConfig.h | 5 +++++ mgmt/RecordsConfig.cc | 4 ++++ 4 files changed, 50 insertions(+), 11 deletions(-) diff --git a/iocore/net/QUICNetProcessor.cc b/iocore/net/QUICNetProcessor.cc index 94d6fb6..e580a62 100644 --- a/iocore/net/QUICNetProcessor.cc +++ b/iocore/net/QUICNetProcessor.cc @@ -66,8 +66,10 @@ QUICNetProcessor::start(int, size_t stacksize) // QUICInitializeLibrary(); QUICConfig::startup(); - // Initialize QUIC statistics. This depends on an initial set of certificates being loaded above. - // QUICInitializeStatistics(); +#ifdef TLS1_3_VERSION_DRAFT_TXT + // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed + Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT); +#endif return 0; } diff --git a/iocore/net/quic/QUICConfig.cc b/iocore/net/quic/QUICConfig.cc index f440d59..84d8e9e 100644 --- a/iocore/net/quic/QUICConfig.cc +++ b/iocore/net/quic/QUICConfig.cc @@ -38,11 +38,6 @@ int QUICConfigParams::_connection_table_size = 65521; static SSL_CTX * quic_new_ssl_ctx() { -#ifdef TLS1_3_VERSION_DRAFT_TXT - // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed - Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT); -#endif - SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION); @@ -61,8 +56,10 @@ quic_new_ssl_ctx() } static SSL_CTX * -quic_init_server_ssl_ctx(SSL_CTX *ssl_ctx) +quic_init_server_ssl_ctx(const QUICConfigParams *params) { + SSL_CTX *ssl_ctx = quic_new_ssl_ctx(); + SSLConfig::scoped_config ssl_params; SSLParseCertificateConfiguration(ssl_params, ssl_ctx); @@ -77,14 +74,28 @@ quic_init_server_ssl_ctx(SSL_CTX *ssl_ctx) SSL_CTX_set_alpn_select_cb(ssl_ctx, QUIC::ssl_select_next_protocol, nullptr); + if (params->server_supported_groups() != nullptr) { + if (SSL_CTX_set1_groups_list(ssl_ctx, params->server_supported_groups()) != 1) { + Error("SSL_CTX_set1_groups_list failed"); + } + } + return ssl_ctx; } static SSL_CTX * -quic_init_client_ssl_ctx(SSL_CTX *ssl_ctx) +quic_init_client_ssl_ctx(const QUICConfigParams *params) { + SSL_CTX *ssl_ctx = quic_new_ssl_ctx(); + // SSL_CTX_set_alpn_protos() + if (params->client_supported_groups() != nullptr) { + if (SSL_CTX_set1_groups_list(ssl_ctx, params->client_supported_groups()) != 1) { + Error("SSL_CTX_set1_groups_list failed"); + } + } + return ssl_ctx; } @@ -93,6 +104,9 @@ quic_init_client_ssl_ctx(SSL_CTX *ssl_ctx) // QUICConfigParams::~QUICConfigParams() { + this->_server_supported_groups = (char *)ats_free_null(this->_server_supported_groups); + this->_client_supported_groups = (char *)ats_free_null(this->_client_supported_groups); + SSL_CTX_free(this->_server_ssl_ctx); SSL_CTX_free(this->_client_ssl_ctx); }; @@ -107,11 +121,13 @@ QUICConfigParams::initialize() REC_EstablishStaticConfigInt32U(this->_server_id, "proxy.config.quic.server_id"); REC_EstablishStaticConfigInt32(this->_connection_table_size, "proxy.config.quic.connection_table.size"); REC_EstablishStaticConfigInt32U(this->_stateless_retry, "proxy.config.quic.stateless_retry"); + REC_ReadConfigStringAlloc(this->_server_supported_groups, "proxy.config.quic.server.supported_groups"); + REC_ReadConfigStringAlloc(this->_client_supported_groups, "proxy.config.quic.client.supported_groups"); QUICStatelessRetry::init(); - this->_server_ssl_ctx = quic_init_server_ssl_ctx(quic_new_ssl_ctx()); - this->_client_ssl_ctx = quic_init_client_ssl_ctx(quic_new_ssl_ctx()); + this->_server_ssl_ctx = quic_init_server_ssl_ctx(this); + this->_client_ssl_ctx = quic_init_client_ssl_ctx(this); } uint32_t @@ -180,6 +196,18 @@ QUICConfigParams::initial_max_stream_id_uni_out() const return this->_initial_max_stream_id_uni_out; } +const char * +QUICConfigParams::server_supported_groups() const +{ + return this->_server_supported_groups; +} + +const char * +QUICConfigParams::client_supported_groups() const +{ + return this->_client_supported_groups; +} + SSL_CTX * QUICConfigParams::server_ssl_ctx() const { diff --git a/iocore/net/quic/QUICConfig.h b/iocore/net/quic/QUICConfig.h index 43bac32..1fc1797 100644 --- a/iocore/net/quic/QUICConfig.h +++ b/iocore/net/quic/QUICConfig.h @@ -46,6 +46,8 @@ public: uint32_t server_id() const; static int connection_table_size(); uint32_t stateless_retry() const; + const char *server_supported_groups() const; + const char *client_supported_groups() const; SSL_CTX *server_ssl_ctx() const; SSL_CTX *client_ssl_ctx() const; @@ -65,6 +67,9 @@ private: uint32_t _initial_max_stream_id_uni_in = 102; uint32_t _initial_max_stream_id_uni_out = 103; + char *_server_supported_groups; + char *_client_supported_groups; + // TODO: integrate with SSLCertLookup or SNIConfigParams SSL_CTX *_server_ssl_ctx = nullptr; SSL_CTX *_client_ssl_ctx = nullptr; diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 89df43c..5032858 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1330,6 +1330,10 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.quic.stateless_retry", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , + {RECT_CONFIG, "proxy.config.quic.server.supported_groups", RECD_STRING, "P-256:X25519:P-384:P-521" , RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL} + , + {RECT_CONFIG, "proxy.config.quic.client.supported_groups", RECD_STRING, "P-256:X25519:P-384:P-521" , RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL} + , //# Add LOCAL Records Here {RECT_LOCAL, "proxy.local.incoming_ip_to_bind", RECD_STRING, nullptr, RECU_NULL, RR_NULL, RECC_NULL, nullptr, RECA_NULL} -- To stop receiving notification emails like this one, please contact [email protected].
