This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit c59884c10a090eb337035268cfad92b29f4ff45b Author: Susan Hinrichs <[email protected]> AuthorDate: Tue Aug 6 16:32:41 2019 +0000 Fixed the InkAPI to provide the TSVConnProtocolEnable/Disable functions. Update documentation and updated the example plugin. --- .../api/functions/TSProtoSet.en.rst | 46 ------------------- doc/developer-guide/api/functions/TSTypes.en.rst | 2 - .../api/functions/TSVConnProtocol.en.rst | 51 ++++++++++++++++++++++ doc/developer-guide/api/types/TSHttpHookID.en.rst | 2 + .../plugins/c-api/disable_http2/disable_http2.cc | 35 ++------------- include/ts/apidefs.h.in | 1 - include/ts/ts.h | 5 +-- src/traffic_server/InkAPI.cc | 44 ++++++++----------- 8 files changed, 77 insertions(+), 109 deletions(-) diff --git a/doc/developer-guide/api/functions/TSProtoSet.en.rst b/doc/developer-guide/api/functions/TSProtoSet.en.rst deleted file mode 100644 index 8b57209..0000000 --- a/doc/developer-guide/api/functions/TSProtoSet.en.rst +++ /dev/null @@ -1,46 +0,0 @@ -.. Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed - with this work for additional information regarding copyright - ownership. The ASF licenses this file to you under the Apache - License, Version 2.0 (the "License"); you may not use this file - except in compliance with the License. You may obtain a copy of - the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied. See the License for the specific language governing - permissions and limitations under the License. - -.. include:: ../../../common.defs - -.. default-domain:: c - -TSProtoSet -****************** - -Synopsis -======== - -`#include <ts/ts.h>` - -.. function:: TSNextProtocolSet TSGetcloneProtoSet(TSAcceptor tna) -.. function:: TSNextProtocolSet TSUnregisterProtocol(TSNextProtocolSet protoset, const char* protocol) -.. function:: void TSRegisterProtocolSet(TSVConn sslp, TSNextProtocolSet ps) - -Description -=========== - -:func:`TSGetcloneProtoSet` makes a copy of the ProtocolSet to be advertised by the ssl connection associated with :arg:`tna`. This function -returns :type:`TSNextProtocolSet` object which points to a clone of the protocolset owned by :arg:`tna`. This type represents the protocolset -containing the protocols which are advertised by an ssl connection during ssl handshake. Each :type:`TSAcceptor` object is associated with a protocolset. - - -:func:`TSUnregisterProtocol` unregisters :arg:`protocol` from :arg:`protoset` and returns the protocol set. -The returned protocol set needs to be registered with the :type:`TSVConn` using :func:`TSRegisterProtocolSet` that will advertise the protocols. - - -:func:`TSRegisterProtocolSet` registers :arg:`ps` with :arg:`sslp`. This function clears the protocolset string created by the already registered -protocolset before registering the new protocolset. On Success, the ssl object associated with :arg:`sslp` will then advertise the protocols contained in :arg:`ps`. diff --git a/doc/developer-guide/api/functions/TSTypes.en.rst b/doc/developer-guide/api/functions/TSTypes.en.rst index 6738202..9ffc318 100644 --- a/doc/developer-guide/api/functions/TSTypes.en.rst +++ b/doc/developer-guide/api/functions/TSTypes.en.rst @@ -213,8 +213,6 @@ more widely. Those are described on this page. .. type:: TSAcceptor -.. type:: TSNextProtocolSet - .. cpp:class:: template <typename T> LINK .. cpp:class:: VersionNumber diff --git a/doc/developer-guide/api/functions/TSVConnProtocol.en.rst b/doc/developer-guide/api/functions/TSVConnProtocol.en.rst new file mode 100644 index 0000000..49d1b88 --- /dev/null +++ b/doc/developer-guide/api/functions/TSVConnProtocol.en.rst @@ -0,0 +1,51 @@ +.. Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed + with this work for additional information regarding copyright + ownership. The ASF licenses this file to you under the Apache + License, Version 2.0 (the "License"); you may not use this file + except in compliance with the License. You may obtain a copy of + the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied. See the License for the specific language governing + permissions and limitations under the License. + +.. include:: ../../../common.defs + +.. default-domain:: c + +TSVConnProtocolEnable/Disable +***************************** + +Synopsis +======== + +`#include <ts/ts.h>` + +.. function:: TSReturnCode TSVConnProtocolEnable(TSVConn vconn, const char* protocol) +.. function:: TSReturnCode TSVConnProtocolDisable(TSVConn vconn, const char* protocol) + +Description +=========== + +:func:`TSVConnProtocolEnable` will enable the protocol specified by :arg:`protocol` to be advertised in the TLS protocol negotiation. + +Similarly, :func:`TSVConnProtocolDisable` will remove the protocol specified by :arg:`protocol` from the TLS protocol negotiation. + +To be effective, these calls must be made from the early TLS negotiation hooks like :member:`TS_SSL_CLIENT_HELLO_HOOK` or :member:`TS_SSL_SERVERNAME_HOOK`. + +Examples +======== + +The example below is excerpted from `example/plugins/c-api/disable_http2/disable_http2.cc` +in the Traffic Server source distribution. It shows how the :func:`TSVConnProtocolDisable` function +can be used in a plugin called from the :member:`TS_SSL_SERVERNAME_HOOK`. + +.. literalinclude:: ../../../../example/plugins/c-api/disable_http2/disable_http2.cc + :language: c + :lines: 41-54 + diff --git a/doc/developer-guide/api/types/TSHttpHookID.en.rst b/doc/developer-guide/api/types/TSHttpHookID.en.rst index dd09fbc..6637595 100644 --- a/doc/developer-guide/api/types/TSHttpHookID.en.rst +++ b/doc/developer-guide/api/types/TSHttpHookID.en.rst @@ -78,6 +78,8 @@ Enumeration Members .. c:macro:: TSHttpHookID TS_VCONN_OUTBOUND_CLOSE_HOOK +.. c:macro:: TSHttpHookID TS_SSL_CLIENT_HELLO_HOOK + .. c:macro:: TSHttpHookID TS_SSL_SNI_HOOK .. c:macro:: TSHttpHookID TS_SSL_CERT_HOOK diff --git a/example/plugins/c-api/disable_http2/disable_http2.cc b/example/plugins/c-api/disable_http2/disable_http2.cc index 4fd0fc5..0169bc4 100644 --- a/example/plugins/c-api/disable_http2/disable_http2.cc +++ b/example/plugins/c-api/disable_http2/disable_http2.cc @@ -27,7 +27,6 @@ #include <ts/ts.h> -#include <unordered_map> #include <unordered_set> #include <string> #include <cstring> @@ -35,9 +34,6 @@ #define PLUGIN_NAME "disable_http2" -typedef std::unordered_map<int, TSNextProtocolSet> AcceptorMapping; // stores protocolset keyed by NetAccept ID -AcceptorMapping AcceptorMap; - // Map of domains to tweak. using DomainSet = std::unordered_set<std::string>; DomainSet Domains; @@ -51,10 +47,8 @@ CB_SNI(TSCont contp, TSEvent, void *cb_data) char const *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (sni) { if (Domains.find(sni) != Domains.end()) { - TSAcceptor na = TSAcceptorGet(vc); - int nid = TSAcceptorIDGet(na); - TSNextProtocolSet ps = AcceptorMap[nid]; // get our copy of the protocol set. - TSRegisterProtocolSet(vc, ps); // replace default protocol set with the copy. + TSDebug(PLUGIN_NAME, "Disable H2 for SNI=%s", sni); + TSVConnProtocolDisable(vc, TS_ALPN_PROTOCOL_HTTP_2_0); } } @@ -62,27 +56,6 @@ CB_SNI(TSCont contp, TSEvent, void *cb_data) return TS_SUCCESS; } -int -CB_NetAcceptReady(TSCont contp, TSEvent event, void *cb_data) -{ - switch (event) { - case TS_EVENT_LIFECYCLE_PORTS_READY: - // The accept objects are all created and ready at this point. We - // can now iterate over them. - for (int i = 0, totalNA = TSAcceptorCount(); i < totalNA; ++i) { - TSAcceptor netaccept = TSAcceptorGetbyID(i); - // get a clone of the protoset associated with the netaccept - TSNextProtocolSet nps = TSGetcloneProtoSet(netaccept); - TSUnregisterProtocol(nps, TS_ALPN_PROTOCOL_HTTP_2_0); - AcceptorMap[i] = nps; - } - break; - default: - break; - } - return 0; -} - void TSPluginInit(int argc, char const *argv[]) { @@ -109,9 +82,7 @@ TSPluginInit(int argc, char const *argv[]) Domains.emplace(std::string(argv[i], strlen(argv[i]))); } // These callbacks do not modify any state so no lock is needed. - TSCont cb_sni = TSContCreate(&CB_SNI, nullptr); - TSCont cb_netacc = TSContCreate(&CB_NetAcceptReady, nullptr); + TSCont cb_sni = TSContCreate(&CB_SNI, nullptr); TSHttpHookAdd(TS_SSL_SERVERNAME_HOOK, cb_sni); - TSLifecycleHookAdd(TS_LIFECYCLE_PORTS_READY_HOOK, cb_netacc); } diff --git a/include/ts/apidefs.h.in b/include/ts/apidefs.h.in index 9364adf..71dcd74 100644 --- a/include/ts/apidefs.h.in +++ b/include/ts/apidefs.h.in @@ -913,7 +913,6 @@ typedef struct tsapi_bufferreader *TSIOBufferReader; typedef struct tsapi_hostlookupresult *TSHostLookupResult; typedef struct tsapi_aiocallback *TSAIOCallback; typedef struct tsapi_net_accept *TSAcceptor; -typedef struct tsapi_protocol_set *TSNextProtocolSet; typedef void *(*TSThreadFunc)(void *data); typedef int (*TSEventFunc)(TSCont contp, TSEvent event, void *edata); diff --git a/include/ts/ts.h b/include/ts/ts.h index 6c8aa05..71a663e 100644 --- a/include/ts/ts.h +++ b/include/ts/ts.h @@ -1251,13 +1251,12 @@ tsapi TSReturnCode TSSslServerCertUpdate(const char *cert_path, const char *key_ tsapi TSSslContext TSSslServerContextCreate(TSSslX509 cert, const char *certname, const char *rsp_file); tsapi void TSSslContextDestroy(TSSslContext ctx); tsapi void TSSslTicketKeyUpdate(char *ticketData, int ticketDataLen); -tsapi TSNextProtocolSet TSUnregisterProtocol(TSNextProtocolSet protoset, const char *protocol); TSAcceptor TSAcceptorGet(TSVConn sslp); -TSNextProtocolSet TSGetcloneProtoSet(TSAcceptor tna); TSAcceptor TSAcceptorGetbyID(int ID); -void TSRegisterProtocolSet(TSVConn sslp, TSNextProtocolSet ps); int TSAcceptorCount(); int TSAcceptorIDGet(TSAcceptor acceptor); +TSReturnCode TSVConnProtocolDisable(TSVConn connp, const char *protocol_name); +TSReturnCode TSVConnProtocolEnable(TSVConn connp, const char *protocol_name); /* Returns 1 if the sslp argument refers to a SSL connection */ tsapi int TSVConnIsSsl(TSVConn sslp); diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc index 268820e..7b13540 100644 --- a/src/traffic_server/InkAPI.cc +++ b/src/traffic_server/InkAPI.cc @@ -9415,28 +9415,33 @@ TSSslTicketKeyUpdate(char *ticketData, int ticketDataLen) SSLTicketKeyConfig::reconfigure_data(ticketData, ticketDataLen); } -#ifdef OLD -void -TSRegisterProtocolSet(TSVConn sslp, TSNextProtocolSet ps) +TSReturnCode +TSVConnProtocolEnable(TSVConn connp, const char *protocol_name) { - NetVConnection *vc = reinterpret_cast<NetVConnection *>(sslp); - SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(vc); + TSReturnCode retval = TS_ERROR; + int protocol_idx = globalSessionProtocolNameRegistry.toIndexConst(std::string_view{protocol_name}); + auto net_vc = reinterpret_cast<UnixNetVConnection *>(connp); + auto ssl_vc = dynamic_cast<SSLNetVConnection *>(net_vc); if (ssl_vc) { - ssl_vc->registerNextProtocolSet(reinterpret_cast<SSLNextProtocolSet *>(ps)); + ssl_vc->enableProtocol(protocol_idx); + retval = TS_SUCCESS; } + return retval; } -TSNextProtocolSet -TSUnregisterProtocol(TSNextProtocolSet protoset, const char *protocol) +TSReturnCode +TSVConnProtocolDisable(TSVConn connp, const char *protocol_name) { - SSLNextProtocolSet *snps = reinterpret_cast<SSLNextProtocolSet *>(protoset); - if (snps) { - snps->unregisterEndpoint(protocol, nullptr); - return reinterpret_cast<TSNextProtocolSet>(snps); + TSReturnCode retval = TS_ERROR; + int protocol_idx = globalSessionProtocolNameRegistry.toIndexConst(std::string_view{protocol_name}); + auto net_vc = reinterpret_cast<UnixNetVConnection *>(connp); + auto ssl_vc = dynamic_cast<SSLNetVConnection *>(net_vc); + if (ssl_vc) { + ssl_vc->disableProtocol(protocol_idx); + retval = TS_SUCCESS; } - return nullptr; + return retval; } -#endif TSAcceptor TSAcceptorGet(TSVConn sslp) @@ -9469,17 +9474,6 @@ TSAcceptorCount() return naVec.size(); } -#ifdef OLD -// clones the protoset associated with netAccept -TSNextProtocolSet -TSGetcloneProtoSet(TSAcceptor tna) -{ - NetAccept *na = reinterpret_cast<NetAccept *>(tna); - // clone protoset - return (na && na->snpa) ? reinterpret_cast<TSNextProtocolSet>(na->snpa->cloneProtoSet()) : nullptr; -} -#endif - tsapi int TSVConnIsSsl(TSVConn sslp) {
