This is an automated email from the ASF dual-hosted git repository. masaori pushed a commit to branch quic-latest in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit bd09c194af798c32306923bb637e4a0def946002 Author: Masaori Koshiba <[email protected]> AuthorDate: Mon Mar 26 12:46:03 2018 +0900 Separate SSL_CTX for client and server As for client, add SSL_CTX* to QUICConfig, just like SSLConfig has SSL_CTX *client_ctx. As for server, add SSL_CTX* to QUICConfig too for now. Probably this should be integrated with SSLCertLookup or SNIConfigParams. --- iocore/net/P_QUICNetProcessor.h | 2 - iocore/net/P_QUICNetVConnection.h | 2 +- iocore/net/P_QUICPacketHandler.h | 3 +- iocore/net/QUICNetProcessor.cc | 45 +-------------------- iocore/net/QUICNetVConnection.cc | 9 +++-- iocore/net/QUICPacketHandler.cc | 8 ++-- iocore/net/quic/QUICConfig.cc | 83 +++++++++++++++++++++++++++++++++++++++ iocore/net/quic/QUICConfig.h | 13 ++++++ 8 files changed, 110 insertions(+), 55 deletions(-) diff --git a/iocore/net/P_QUICNetProcessor.h b/iocore/net/P_QUICNetProcessor.h index c9d6c2a..59fb931 100644 --- a/iocore/net/P_QUICNetProcessor.h +++ b/iocore/net/P_QUICNetProcessor.h @@ -73,8 +73,6 @@ public: private: QUICNetProcessor(const QUICNetProcessor &); QUICNetProcessor &operator=(const QUICNetProcessor &); - - SSL_CTX *_ssl_ctx = nullptr; }; extern QUICNetProcessor quic_NetProcessor; diff --git a/iocore/net/P_QUICNetVConnection.h b/iocore/net/P_QUICNetVConnection.h index 83bef51..ba4a657 100644 --- a/iocore/net/P_QUICNetVConnection.h +++ b/iocore/net/P_QUICNetVConnection.h @@ -165,7 +165,7 @@ public: int state_connection_closing(int event, Event *data); int state_connection_draining(int event, Event *data); int state_connection_closed(int event, Event *data); - void start(SSL_CTX *); + void start(); void free(EThread *t) override; void destroy(EThread *t); diff --git a/iocore/net/P_QUICPacketHandler.h b/iocore/net/P_QUICPacketHandler.h index 886ce70..8ffd36a 100644 --- a/iocore/net/P_QUICPacketHandler.h +++ b/iocore/net/P_QUICPacketHandler.h @@ -59,7 +59,7 @@ protected: class QUICPacketHandlerIn : public NetAccept, public QUICPacketHandler { public: - QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt, SSL_CTX *); + QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt); ~QUICPacketHandlerIn(); // NetAccept @@ -75,7 +75,6 @@ private: void _recv_packet(int event, UDPPacket *udp_packet) override; QUICConnectionTable *_ctable = nullptr; - SSL_CTX *_ssl_ctx; }; /* diff --git a/iocore/net/QUICNetProcessor.cc b/iocore/net/QUICNetProcessor.cc index 55c7b10..94d6fb6 100644 --- a/iocore/net/QUICNetProcessor.cc +++ b/iocore/net/QUICNetProcessor.cc @@ -27,8 +27,6 @@ #include "QUICGlobals.h" #include "QUICConfig.h" -#include "QUICTransportParameters.h" -#include "QUICStatelessRetry.h" // // Global Data @@ -48,7 +46,6 @@ QUICNetProcessor::~QUICNetProcessor() void QUICNetProcessor::cleanup() { - SSL_CTX_free(this->_ssl_ctx); } void @@ -68,55 +65,17 @@ QUICNetProcessor::start(int, size_t stacksize) // This initialization order matters ... // QUICInitializeLibrary(); QUICConfig::startup(); - QUICStatelessRetry::init(); - -#ifdef TLS1_3_VERSION_DRAFT_TXT - // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed - Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT); -#endif - - // Acquire a QUICConfigParams instance *after* we start QUIC up. - // QUICConfig::scoped_config params; // Initialize QUIC statistics. This depends on an initial set of certificates being loaded above. // QUICInitializeStatistics(); - // TODO: separate SSL_CTX for client and server - // TODO: load certs from SSLConfig - this->_ssl_ctx = SSL_CTX_new(TLS_method()); - SSL_CTX_set_min_proto_version(this->_ssl_ctx, TLS1_3_VERSION); - SSL_CTX_set_max_proto_version(this->_ssl_ctx, TLS1_3_VERSION); - - // FIXME: OpenSSL (1.1.1-alpha) enable this option by default. But this shoule be removed when OpenSSL disable this by default. - SSL_CTX_clear_options(this->_ssl_ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); - - SSL_CTX_set_alpn_select_cb(this->_ssl_ctx, QUIC::ssl_select_next_protocol, nullptr); - SSL_CTX_set_max_early_data(this->_ssl_ctx, UINT32_C(0xFFFFFFFF)); - SSL_CTX_add_custom_ext(this->_ssl_ctx, QUICTransportParametersHandler::TRANSPORT_PARAMETER_ID, - SSL_EXT_TLS_ONLY | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, - &QUICTransportParametersHandler::add, &QUICTransportParametersHandler::free, nullptr, - &QUICTransportParametersHandler::parse, nullptr); - - // callbacks for cookie ext - // Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463 - SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, QUICStatelessRetry::generate_cookie); - SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, QUICStatelessRetry::verify_cookie); - - SSLConfig::scoped_config params; - SSLParseCertificateConfiguration(params, this->_ssl_ctx); - - if (SSL_CTX_check_private_key(this->_ssl_ctx) != 1) { - Error("check private key failed"); - // ink_assert(false); - } - return 0; } NetAccept * QUICNetProcessor::createNetAccept(const NetProcessor::AcceptOptions &opt) { - return (NetAccept *)new QUICPacketHandlerIn(opt, this->_ssl_ctx); + return (NetAccept *)new QUICPacketHandlerIn(opt); } NetVConnection * @@ -195,7 +154,7 @@ QUICNetProcessor::connect_re(Continuation *cont, sockaddr const *remote_addr, Ne SET_CONTINUATION_HANDLER(vc, &QUICNetVConnection::startEvent); - vc->start(this->_ssl_ctx); + vc->start(); if (t->is_event_type(opt->etype)) { MUTEX_TRY_LOCK(lock, cont->mutex, t); diff --git a/iocore/net/QUICNetVConnection.cc b/iocore/net/QUICNetVConnection.cc index 8e22c80..cc8e72b 100644 --- a/iocore/net/QUICNetVConnection.cc +++ b/iocore/net/QUICNetVConnection.cc @@ -174,16 +174,17 @@ QUICNetVConnection::startEvent(int event, Event *e) // XXX This might be called on ET_UDP thread void -QUICNetVConnection::start(SSL_CTX *ssl_ctx) +QUICNetVConnection::start() { + QUICConfig::scoped_config params; + this->_five_tuple.update(this->local_addr, this->remote_addr, SOCK_DGRAM); // Version 0x00000001 uses stream 0 for cryptographic handshake with TLS 1.3, but newer version may not if (this->direction() == NET_VCONNECTION_IN) { - QUICConfig::scoped_config params; this->_reset_token.generate(this->_quic_connection_id, params->server_id()); - this->_handshake_handler = new QUICHandshake(this, ssl_ctx, this->_reset_token, params->stateless_retry()); + this->_handshake_handler = new QUICHandshake(this, params->server_ssl_ctx(), this->_reset_token, params->stateless_retry()); } else { - this->_handshake_handler = new QUICHandshake(this, ssl_ctx); + this->_handshake_handler = new QUICHandshake(this, params->client_ssl_ctx()); this->_handshake_handler->start(&this->_packet_factory); } this->_application_map = new QUICApplicationMap(); diff --git a/iocore/net/QUICPacketHandler.cc b/iocore/net/QUICPacketHandler.cc index 2561005..5bbb4a5 100644 --- a/iocore/net/QUICPacketHandler.cc +++ b/iocore/net/QUICPacketHandler.cc @@ -23,6 +23,8 @@ #include "P_Net.h" #include "P_QUICClosedConCollector.h" + +#include "QUICGlobals.h" #include "QUICConfig.h" #include "QUICPacket.h" #include "QUICDebugNames.h" @@ -88,7 +90,7 @@ QUICPacketHandler::_read_connection_id(IOBufferBlock *block) // // QUICPacketHandlerIn // -QUICPacketHandlerIn::QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt, SSL_CTX *ctx) : NetAccept(opt), _ssl_ctx(ctx) +QUICPacketHandlerIn::QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt) : NetAccept(opt) { this->mutex = new_ProxyMutex(); // create Connection Table @@ -112,7 +114,7 @@ NetAccept * QUICPacketHandlerIn::clone() const { NetAccept *na; - na = new QUICPacketHandlerIn(opt, this->_ssl_ctx); + na = new QUICPacketHandlerIn(opt); *na = *this; return na; } @@ -218,7 +220,7 @@ QUICPacketHandlerIn::_recv_packet(int event, UDPPacket *udp_packet) vc->action_ = *this->action_; vc->set_is_transparent(this->opt.f_inbound_transparent); vc->set_context(NET_VCONNECTION_IN); - vc->start(this->_ssl_ctx); + vc->start(); vc->options.ip_proto = NetVCOptions::USE_UDP; vc->options.ip_family = udp_packet->from.sa.sa_family; diff --git a/iocore/net/quic/QUICConfig.cc b/iocore/net/quic/QUICConfig.cc index 0b8c00c..f440d59 100644 --- a/iocore/net/quic/QUICConfig.cc +++ b/iocore/net/quic/QUICConfig.cc @@ -23,14 +23,80 @@ #include "QUICConfig.h" +#include <openssl/ssl.h> #include <records/I_RecHttp.h> +#include "P_SSLConfig.h" + +#include "QUICGlobals.h" +#include "QUICTransportParameters.h" +#include "QUICStatelessRetry.h" + int QUICConfig::_config_id = 0; int QUICConfigParams::_connection_table_size = 65521; +static SSL_CTX * +quic_new_ssl_ctx() +{ +#ifdef TLS1_3_VERSION_DRAFT_TXT + // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed + Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT); +#endif + + SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method()); + + SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION); + + // FIXME: OpenSSL (1.1.1-alpha) enable this option by default. But this shoule be removed when OpenSSL disable this by default. + SSL_CTX_clear_options(ssl_ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); + + SSL_CTX_set_max_early_data(ssl_ctx, UINT32_C(0xFFFFFFFF)); + + SSL_CTX_add_custom_ext(ssl_ctx, QUICTransportParametersHandler::TRANSPORT_PARAMETER_ID, + SSL_EXT_TLS_ONLY | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, + &QUICTransportParametersHandler::add, &QUICTransportParametersHandler::free, nullptr, + &QUICTransportParametersHandler::parse, nullptr); + return ssl_ctx; +} + +static SSL_CTX * +quic_init_server_ssl_ctx(SSL_CTX *ssl_ctx) +{ + SSLConfig::scoped_config ssl_params; + SSLParseCertificateConfiguration(ssl_params, ssl_ctx); + + if (SSL_CTX_check_private_key(ssl_ctx) != 1) { + Error("check private key failed"); + } + + // callbacks for cookie ext + // Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463 + SSL_CTX_set_stateless_cookie_generate_cb(ssl_ctx, QUICStatelessRetry::generate_cookie); + SSL_CTX_set_stateless_cookie_verify_cb(ssl_ctx, QUICStatelessRetry::verify_cookie); + + SSL_CTX_set_alpn_select_cb(ssl_ctx, QUIC::ssl_select_next_protocol, nullptr); + + return ssl_ctx; +} + +static SSL_CTX * +quic_init_client_ssl_ctx(SSL_CTX *ssl_ctx) +{ + // SSL_CTX_set_alpn_protos() + + return ssl_ctx; +} + // // QUICConfigParams // +QUICConfigParams::~QUICConfigParams() +{ + SSL_CTX_free(this->_server_ssl_ctx); + SSL_CTX_free(this->_client_ssl_ctx); +}; + void QUICConfigParams::initialize() { @@ -41,6 +107,11 @@ QUICConfigParams::initialize() REC_EstablishStaticConfigInt32U(this->_server_id, "proxy.config.quic.server_id"); REC_EstablishStaticConfigInt32(this->_connection_table_size, "proxy.config.quic.connection_table.size"); REC_EstablishStaticConfigInt32U(this->_stateless_retry, "proxy.config.quic.stateless_retry"); + + QUICStatelessRetry::init(); + + this->_server_ssl_ctx = quic_init_server_ssl_ctx(quic_new_ssl_ctx()); + this->_client_ssl_ctx = quic_init_client_ssl_ctx(quic_new_ssl_ctx()); } uint32_t @@ -109,6 +180,18 @@ QUICConfigParams::initial_max_stream_id_uni_out() const return this->_initial_max_stream_id_uni_out; } +SSL_CTX * +QUICConfigParams::server_ssl_ctx() const +{ + return this->_server_ssl_ctx; +} + +SSL_CTX * +QUICConfigParams::client_ssl_ctx() const +{ + return this->_client_ssl_ctx; +} + // // QUICConfig // diff --git a/iocore/net/quic/QUICConfig.h b/iocore/net/quic/QUICConfig.h index 4ae7721..43bac32 100644 --- a/iocore/net/quic/QUICConfig.h +++ b/iocore/net/quic/QUICConfig.h @@ -23,10 +23,16 @@ #pragma once +#include <openssl/ssl.h> + #include "ProxyConfig.h" + class QUICConfigParams : public ConfigInfo { public: + QUICConfigParams(){}; + ~QUICConfigParams(); + void initialize(); uint32_t no_activity_timeout_in() const; @@ -41,6 +47,9 @@ public: static int connection_table_size(); uint32_t stateless_retry() const; + SSL_CTX *server_ssl_ctx() const; + SSL_CTX *client_ssl_ctx() const; + private: // FIXME Fill appropriate default values in RecordsConfig.cc uint32_t _no_activity_timeout_in = 0; @@ -55,6 +64,10 @@ private: uint32_t _initial_max_stream_id_bidi_out = 101; uint32_t _initial_max_stream_id_uni_in = 102; uint32_t _initial_max_stream_id_uni_out = 103; + + // TODO: integrate with SSLCertLookup or SNIConfigParams + SSL_CTX *_server_ssl_ctx = nullptr; + SSL_CTX *_client_ssl_ctx = nullptr; }; class QUICConfig -- To stop receiving notification emails like this one, please contact [email protected].
