trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From masa...@apache.org
Subject [trafficserver] 01/03: Separate SSL_CTX for client and server
Date Mon, 26 Mar 2018 07:16:47 GMT
This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit bd09c194af798c32306923bb637e4a0def946002
Author: Masaori Koshiba <masaori@apache.org>
AuthorDate: Mon Mar 26 12:46:03 2018 +0900

    Separate SSL_CTX for client and server
    
    As for client, add SSL_CTX* to QUICConfig, just like SSLConfig has SSL_CTX *client_ctx.
    As for server, add SSL_CTX* to QUICConfig too for now. Probably this should be integrated
with
    SSLCertLookup or SNIConfigParams.
---
 iocore/net/P_QUICNetProcessor.h   |  2 -
 iocore/net/P_QUICNetVConnection.h |  2 +-
 iocore/net/P_QUICPacketHandler.h  |  3 +-
 iocore/net/QUICNetProcessor.cc    | 45 +--------------------
 iocore/net/QUICNetVConnection.cc  |  9 +++--
 iocore/net/QUICPacketHandler.cc   |  8 ++--
 iocore/net/quic/QUICConfig.cc     | 83 +++++++++++++++++++++++++++++++++++++++
 iocore/net/quic/QUICConfig.h      | 13 ++++++
 8 files changed, 110 insertions(+), 55 deletions(-)

diff --git a/iocore/net/P_QUICNetProcessor.h b/iocore/net/P_QUICNetProcessor.h
index c9d6c2a..59fb931 100644
--- a/iocore/net/P_QUICNetProcessor.h
+++ b/iocore/net/P_QUICNetProcessor.h
@@ -73,8 +73,6 @@ public:
 private:
   QUICNetProcessor(const QUICNetProcessor &);
   QUICNetProcessor &operator=(const QUICNetProcessor &);
-
-  SSL_CTX *_ssl_ctx = nullptr;
 };
 
 extern QUICNetProcessor quic_NetProcessor;
diff --git a/iocore/net/P_QUICNetVConnection.h b/iocore/net/P_QUICNetVConnection.h
index 83bef51..ba4a657 100644
--- a/iocore/net/P_QUICNetVConnection.h
+++ b/iocore/net/P_QUICNetVConnection.h
@@ -165,7 +165,7 @@ public:
   int state_connection_closing(int event, Event *data);
   int state_connection_draining(int event, Event *data);
   int state_connection_closed(int event, Event *data);
-  void start(SSL_CTX *);
+  void start();
   void free(EThread *t) override;
   void destroy(EThread *t);
 
diff --git a/iocore/net/P_QUICPacketHandler.h b/iocore/net/P_QUICPacketHandler.h
index 886ce70..8ffd36a 100644
--- a/iocore/net/P_QUICPacketHandler.h
+++ b/iocore/net/P_QUICPacketHandler.h
@@ -59,7 +59,7 @@ protected:
 class QUICPacketHandlerIn : public NetAccept, public QUICPacketHandler
 {
 public:
-  QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt, SSL_CTX *);
+  QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt);
   ~QUICPacketHandlerIn();
 
   // NetAccept
@@ -75,7 +75,6 @@ private:
   void _recv_packet(int event, UDPPacket *udp_packet) override;
 
   QUICConnectionTable *_ctable = nullptr;
-  SSL_CTX *_ssl_ctx;
 };
 
 /*
diff --git a/iocore/net/QUICNetProcessor.cc b/iocore/net/QUICNetProcessor.cc
index 55c7b10..94d6fb6 100644
--- a/iocore/net/QUICNetProcessor.cc
+++ b/iocore/net/QUICNetProcessor.cc
@@ -27,8 +27,6 @@
 
 #include "QUICGlobals.h"
 #include "QUICConfig.h"
-#include "QUICTransportParameters.h"
-#include "QUICStatelessRetry.h"
 
 //
 // Global Data
@@ -48,7 +46,6 @@ QUICNetProcessor::~QUICNetProcessor()
 void
 QUICNetProcessor::cleanup()
 {
-  SSL_CTX_free(this->_ssl_ctx);
 }
 
 void
@@ -68,55 +65,17 @@ QUICNetProcessor::start(int, size_t stacksize)
   // This initialization order matters ...
   // QUICInitializeLibrary();
   QUICConfig::startup();
-  QUICStatelessRetry::init();
-
-#ifdef TLS1_3_VERSION_DRAFT_TXT
-  // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed
-  Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT);
-#endif
-
-  // Acquire a QUICConfigParams instance *after* we start QUIC up.
-  // QUICConfig::scoped_config params;
 
   // Initialize QUIC statistics. This depends on an initial set of certificates being loaded
above.
   // QUICInitializeStatistics();
 
-  // TODO: separate SSL_CTX for client and server
-  // TODO: load certs from SSLConfig
-  this->_ssl_ctx = SSL_CTX_new(TLS_method());
-  SSL_CTX_set_min_proto_version(this->_ssl_ctx, TLS1_3_VERSION);
-  SSL_CTX_set_max_proto_version(this->_ssl_ctx, TLS1_3_VERSION);
-
-  // FIXME: OpenSSL (1.1.1-alpha) enable this option by default. But this shoule be removed
when OpenSSL disable this by default.
-  SSL_CTX_clear_options(this->_ssl_ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
-
-  SSL_CTX_set_alpn_select_cb(this->_ssl_ctx, QUIC::ssl_select_next_protocol, nullptr);
-  SSL_CTX_set_max_early_data(this->_ssl_ctx, UINT32_C(0xFFFFFFFF));
-  SSL_CTX_add_custom_ext(this->_ssl_ctx, QUICTransportParametersHandler::TRANSPORT_PARAMETER_ID,
-                         SSL_EXT_TLS_ONLY | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
-                         &QUICTransportParametersHandler::add, &QUICTransportParametersHandler::free,
nullptr,
-                         &QUICTransportParametersHandler::parse, nullptr);
-
-  // callbacks for cookie ext
-  // Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463
-  SSL_CTX_set_stateless_cookie_generate_cb(this->_ssl_ctx, QUICStatelessRetry::generate_cookie);
-  SSL_CTX_set_stateless_cookie_verify_cb(this->_ssl_ctx, QUICStatelessRetry::verify_cookie);
-
-  SSLConfig::scoped_config params;
-  SSLParseCertificateConfiguration(params, this->_ssl_ctx);
-
-  if (SSL_CTX_check_private_key(this->_ssl_ctx) != 1) {
-    Error("check private key failed");
-    // ink_assert(false);
-  }
-
   return 0;
 }
 
 NetAccept *
 QUICNetProcessor::createNetAccept(const NetProcessor::AcceptOptions &opt)
 {
-  return (NetAccept *)new QUICPacketHandlerIn(opt, this->_ssl_ctx);
+  return (NetAccept *)new QUICPacketHandlerIn(opt);
 }
 
 NetVConnection *
@@ -195,7 +154,7 @@ QUICNetProcessor::connect_re(Continuation *cont, sockaddr const *remote_addr,
Ne
 
   SET_CONTINUATION_HANDLER(vc, &QUICNetVConnection::startEvent);
 
-  vc->start(this->_ssl_ctx);
+  vc->start();
 
   if (t->is_event_type(opt->etype)) {
     MUTEX_TRY_LOCK(lock, cont->mutex, t);
diff --git a/iocore/net/QUICNetVConnection.cc b/iocore/net/QUICNetVConnection.cc
index 8e22c80..cc8e72b 100644
--- a/iocore/net/QUICNetVConnection.cc
+++ b/iocore/net/QUICNetVConnection.cc
@@ -174,16 +174,17 @@ QUICNetVConnection::startEvent(int event, Event *e)
 
 // XXX This might be called on ET_UDP thread
 void
-QUICNetVConnection::start(SSL_CTX *ssl_ctx)
+QUICNetVConnection::start()
 {
+  QUICConfig::scoped_config params;
+
   this->_five_tuple.update(this->local_addr, this->remote_addr, SOCK_DGRAM);
   // Version 0x00000001 uses stream 0 for cryptographic handshake with TLS 1.3, but newer
version may not
   if (this->direction() == NET_VCONNECTION_IN) {
-    QUICConfig::scoped_config params;
     this->_reset_token.generate(this->_quic_connection_id, params->server_id());
-    this->_handshake_handler = new QUICHandshake(this, ssl_ctx, this->_reset_token,
params->stateless_retry());
+    this->_handshake_handler = new QUICHandshake(this, params->server_ssl_ctx(), this->_reset_token,
params->stateless_retry());
   } else {
-    this->_handshake_handler = new QUICHandshake(this, ssl_ctx);
+    this->_handshake_handler = new QUICHandshake(this, params->client_ssl_ctx());
     this->_handshake_handler->start(&this->_packet_factory);
   }
   this->_application_map = new QUICApplicationMap();
diff --git a/iocore/net/QUICPacketHandler.cc b/iocore/net/QUICPacketHandler.cc
index 2561005..5bbb4a5 100644
--- a/iocore/net/QUICPacketHandler.cc
+++ b/iocore/net/QUICPacketHandler.cc
@@ -23,6 +23,8 @@
 #include "P_Net.h"
 
 #include "P_QUICClosedConCollector.h"
+
+#include "QUICGlobals.h"
 #include "QUICConfig.h"
 #include "QUICPacket.h"
 #include "QUICDebugNames.h"
@@ -88,7 +90,7 @@ QUICPacketHandler::_read_connection_id(IOBufferBlock *block)
 //
 // QUICPacketHandlerIn
 //
-QUICPacketHandlerIn::QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt, SSL_CTX
*ctx) : NetAccept(opt), _ssl_ctx(ctx)
+QUICPacketHandlerIn::QUICPacketHandlerIn(const NetProcessor::AcceptOptions &opt) : NetAccept(opt)
 {
   this->mutex = new_ProxyMutex();
   // create Connection Table
@@ -112,7 +114,7 @@ NetAccept *
 QUICPacketHandlerIn::clone() const
 {
   NetAccept *na;
-  na  = new QUICPacketHandlerIn(opt, this->_ssl_ctx);
+  na  = new QUICPacketHandlerIn(opt);
   *na = *this;
   return na;
 }
@@ -218,7 +220,7 @@ QUICPacketHandlerIn::_recv_packet(int event, UDPPacket *udp_packet)
     vc->action_     = *this->action_;
     vc->set_is_transparent(this->opt.f_inbound_transparent);
     vc->set_context(NET_VCONNECTION_IN);
-    vc->start(this->_ssl_ctx);
+    vc->start();
     vc->options.ip_proto  = NetVCOptions::USE_UDP;
     vc->options.ip_family = udp_packet->from.sa.sa_family;
 
diff --git a/iocore/net/quic/QUICConfig.cc b/iocore/net/quic/QUICConfig.cc
index 0b8c00c..f440d59 100644
--- a/iocore/net/quic/QUICConfig.cc
+++ b/iocore/net/quic/QUICConfig.cc
@@ -23,14 +23,80 @@
 
 #include "QUICConfig.h"
 
+#include <openssl/ssl.h>
 #include <records/I_RecHttp.h>
 
+#include "P_SSLConfig.h"
+
+#include "QUICGlobals.h"
+#include "QUICTransportParameters.h"
+#include "QUICStatelessRetry.h"
+
 int QUICConfig::_config_id                   = 0;
 int QUICConfigParams::_connection_table_size = 65521;
 
+static SSL_CTX *
+quic_new_ssl_ctx()
+{
+#ifdef TLS1_3_VERSION_DRAFT_TXT
+  // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed
+  Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT);
+#endif
+
+  SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method());
+
+  SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION);
+  SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_3_VERSION);
+
+  // FIXME: OpenSSL (1.1.1-alpha) enable this option by default. But this shoule be removed
when OpenSSL disable this by default.
+  SSL_CTX_clear_options(ssl_ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
+
+  SSL_CTX_set_max_early_data(ssl_ctx, UINT32_C(0xFFFFFFFF));
+
+  SSL_CTX_add_custom_ext(ssl_ctx, QUICTransportParametersHandler::TRANSPORT_PARAMETER_ID,
+                         SSL_EXT_TLS_ONLY | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+                         &QUICTransportParametersHandler::add, &QUICTransportParametersHandler::free,
nullptr,
+                         &QUICTransportParametersHandler::parse, nullptr);
+  return ssl_ctx;
+}
+
+static SSL_CTX *
+quic_init_server_ssl_ctx(SSL_CTX *ssl_ctx)
+{
+  SSLConfig::scoped_config ssl_params;
+  SSLParseCertificateConfiguration(ssl_params, ssl_ctx);
+
+  if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
+    Error("check private key failed");
+  }
+
+  // callbacks for cookie ext
+  // Requires OpenSSL-1.1.1-pre3+ : https://github.com/openssl/openssl/pull/5463
+  SSL_CTX_set_stateless_cookie_generate_cb(ssl_ctx, QUICStatelessRetry::generate_cookie);
+  SSL_CTX_set_stateless_cookie_verify_cb(ssl_ctx, QUICStatelessRetry::verify_cookie);
+
+  SSL_CTX_set_alpn_select_cb(ssl_ctx, QUIC::ssl_select_next_protocol, nullptr);
+
+  return ssl_ctx;
+}
+
+static SSL_CTX *
+quic_init_client_ssl_ctx(SSL_CTX *ssl_ctx)
+{
+  // SSL_CTX_set_alpn_protos()
+
+  return ssl_ctx;
+}
+
 //
 // QUICConfigParams
 //
+QUICConfigParams::~QUICConfigParams()
+{
+  SSL_CTX_free(this->_server_ssl_ctx);
+  SSL_CTX_free(this->_client_ssl_ctx);
+};
+
 void
 QUICConfigParams::initialize()
 {
@@ -41,6 +107,11 @@ QUICConfigParams::initialize()
   REC_EstablishStaticConfigInt32U(this->_server_id, "proxy.config.quic.server_id");
   REC_EstablishStaticConfigInt32(this->_connection_table_size, "proxy.config.quic.connection_table.size");
   REC_EstablishStaticConfigInt32U(this->_stateless_retry, "proxy.config.quic.stateless_retry");
+
+  QUICStatelessRetry::init();
+
+  this->_server_ssl_ctx = quic_init_server_ssl_ctx(quic_new_ssl_ctx());
+  this->_client_ssl_ctx = quic_init_client_ssl_ctx(quic_new_ssl_ctx());
 }
 
 uint32_t
@@ -109,6 +180,18 @@ QUICConfigParams::initial_max_stream_id_uni_out() const
   return this->_initial_max_stream_id_uni_out;
 }
 
+SSL_CTX *
+QUICConfigParams::server_ssl_ctx() const
+{
+  return this->_server_ssl_ctx;
+}
+
+SSL_CTX *
+QUICConfigParams::client_ssl_ctx() const
+{
+  return this->_client_ssl_ctx;
+}
+
 //
 // QUICConfig
 //
diff --git a/iocore/net/quic/QUICConfig.h b/iocore/net/quic/QUICConfig.h
index 4ae7721..43bac32 100644
--- a/iocore/net/quic/QUICConfig.h
+++ b/iocore/net/quic/QUICConfig.h
@@ -23,10 +23,16 @@
 
 #pragma once
 
+#include <openssl/ssl.h>
+
 #include "ProxyConfig.h"
+
 class QUICConfigParams : public ConfigInfo
 {
 public:
+  QUICConfigParams(){};
+  ~QUICConfigParams();
+
   void initialize();
 
   uint32_t no_activity_timeout_in() const;
@@ -41,6 +47,9 @@ public:
   static int connection_table_size();
   uint32_t stateless_retry() const;
 
+  SSL_CTX *server_ssl_ctx() const;
+  SSL_CTX *client_ssl_ctx() const;
+
 private:
   // FIXME Fill appropriate default values in RecordsConfig.cc
   uint32_t _no_activity_timeout_in  = 0;
@@ -55,6 +64,10 @@ private:
   uint32_t _initial_max_stream_id_bidi_out = 101;
   uint32_t _initial_max_stream_id_uni_in   = 102;
   uint32_t _initial_max_stream_id_uni_out  = 103;
+
+  // TODO: integrate with SSLCertLookup or SNIConfigParams
+  SSL_CTX *_server_ssl_ctx = nullptr;
+  SSL_CTX *_client_ssl_ctx = nullptr;
 };
 
 class QUICConfig

-- 
To stop receiving notification emails like this one, please contact
masaori@apache.org.

Mime
View raw message