trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From masa...@apache.org
Subject [trafficserver] 02/03: Add suported_group configs
Date Mon, 26 Mar 2018 07:16:48 GMT
This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 2389503983f52fc0914d473489e768596eb51321
Author: Masaori Koshiba <masaori@apache.org>
AuthorDate: Mon Mar 26 14:45:11 2018 +0900

    Add suported_group configs
---
 iocore/net/QUICNetProcessor.cc |  6 ++++--
 iocore/net/quic/QUICConfig.cc  | 46 +++++++++++++++++++++++++++++++++---------
 iocore/net/quic/QUICConfig.h   |  5 +++++
 mgmt/RecordsConfig.cc          |  4 ++++
 4 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/iocore/net/QUICNetProcessor.cc b/iocore/net/QUICNetProcessor.cc
index 94d6fb6..e580a62 100644
--- a/iocore/net/QUICNetProcessor.cc
+++ b/iocore/net/QUICNetProcessor.cc
@@ -66,8 +66,10 @@ QUICNetProcessor::start(int, size_t stacksize)
   // QUICInitializeLibrary();
   QUICConfig::startup();
 
-  // Initialize QUIC statistics. This depends on an initial set of certificates being loaded
above.
-  // QUICInitializeStatistics();
+#ifdef TLS1_3_VERSION_DRAFT_TXT
+  // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed
+  Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT);
+#endif
 
   return 0;
 }
diff --git a/iocore/net/quic/QUICConfig.cc b/iocore/net/quic/QUICConfig.cc
index f440d59..84d8e9e 100644
--- a/iocore/net/quic/QUICConfig.cc
+++ b/iocore/net/quic/QUICConfig.cc
@@ -38,11 +38,6 @@ int QUICConfigParams::_connection_table_size = 65521;
 static SSL_CTX *
 quic_new_ssl_ctx()
 {
-#ifdef TLS1_3_VERSION_DRAFT_TXT
-  // FIXME: remove this when TLS1_3_VERSION_DRAFT_TXT is removed
-  Debug("quic_ps", "%s", TLS1_3_VERSION_DRAFT_TXT);
-#endif
-
   SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method());
 
   SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION);
@@ -61,8 +56,10 @@ quic_new_ssl_ctx()
 }
 
 static SSL_CTX *
-quic_init_server_ssl_ctx(SSL_CTX *ssl_ctx)
+quic_init_server_ssl_ctx(const QUICConfigParams *params)
 {
+  SSL_CTX *ssl_ctx = quic_new_ssl_ctx();
+
   SSLConfig::scoped_config ssl_params;
   SSLParseCertificateConfiguration(ssl_params, ssl_ctx);
 
@@ -77,14 +74,28 @@ quic_init_server_ssl_ctx(SSL_CTX *ssl_ctx)
 
   SSL_CTX_set_alpn_select_cb(ssl_ctx, QUIC::ssl_select_next_protocol, nullptr);
 
+  if (params->server_supported_groups() != nullptr) {
+    if (SSL_CTX_set1_groups_list(ssl_ctx, params->server_supported_groups()) != 1) {
+      Error("SSL_CTX_set1_groups_list failed");
+    }
+  }
+
   return ssl_ctx;
 }
 
 static SSL_CTX *
-quic_init_client_ssl_ctx(SSL_CTX *ssl_ctx)
+quic_init_client_ssl_ctx(const QUICConfigParams *params)
 {
+  SSL_CTX *ssl_ctx = quic_new_ssl_ctx();
+
   // SSL_CTX_set_alpn_protos()
 
+  if (params->client_supported_groups() != nullptr) {
+    if (SSL_CTX_set1_groups_list(ssl_ctx, params->client_supported_groups()) != 1) {
+      Error("SSL_CTX_set1_groups_list failed");
+    }
+  }
+
   return ssl_ctx;
 }
 
@@ -93,6 +104,9 @@ quic_init_client_ssl_ctx(SSL_CTX *ssl_ctx)
 //
 QUICConfigParams::~QUICConfigParams()
 {
+  this->_server_supported_groups = (char *)ats_free_null(this->_server_supported_groups);
+  this->_client_supported_groups = (char *)ats_free_null(this->_client_supported_groups);
+
   SSL_CTX_free(this->_server_ssl_ctx);
   SSL_CTX_free(this->_client_ssl_ctx);
 };
@@ -107,11 +121,13 @@ QUICConfigParams::initialize()
   REC_EstablishStaticConfigInt32U(this->_server_id, "proxy.config.quic.server_id");
   REC_EstablishStaticConfigInt32(this->_connection_table_size, "proxy.config.quic.connection_table.size");
   REC_EstablishStaticConfigInt32U(this->_stateless_retry, "proxy.config.quic.stateless_retry");
+  REC_ReadConfigStringAlloc(this->_server_supported_groups, "proxy.config.quic.server.supported_groups");
+  REC_ReadConfigStringAlloc(this->_client_supported_groups, "proxy.config.quic.client.supported_groups");
 
   QUICStatelessRetry::init();
 
-  this->_server_ssl_ctx = quic_init_server_ssl_ctx(quic_new_ssl_ctx());
-  this->_client_ssl_ctx = quic_init_client_ssl_ctx(quic_new_ssl_ctx());
+  this->_server_ssl_ctx = quic_init_server_ssl_ctx(this);
+  this->_client_ssl_ctx = quic_init_client_ssl_ctx(this);
 }
 
 uint32_t
@@ -180,6 +196,18 @@ QUICConfigParams::initial_max_stream_id_uni_out() const
   return this->_initial_max_stream_id_uni_out;
 }
 
+const char *
+QUICConfigParams::server_supported_groups() const
+{
+  return this->_server_supported_groups;
+}
+
+const char *
+QUICConfigParams::client_supported_groups() const
+{
+  return this->_client_supported_groups;
+}
+
 SSL_CTX *
 QUICConfigParams::server_ssl_ctx() const
 {
diff --git a/iocore/net/quic/QUICConfig.h b/iocore/net/quic/QUICConfig.h
index 43bac32..1fc1797 100644
--- a/iocore/net/quic/QUICConfig.h
+++ b/iocore/net/quic/QUICConfig.h
@@ -46,6 +46,8 @@ public:
   uint32_t server_id() const;
   static int connection_table_size();
   uint32_t stateless_retry() const;
+  const char *server_supported_groups() const;
+  const char *client_supported_groups() const;
 
   SSL_CTX *server_ssl_ctx() const;
   SSL_CTX *client_ssl_ctx() const;
@@ -65,6 +67,9 @@ private:
   uint32_t _initial_max_stream_id_uni_in   = 102;
   uint32_t _initial_max_stream_id_uni_out  = 103;
 
+  char *_server_supported_groups;
+  char *_client_supported_groups;
+
   // TODO: integrate with SSLCertLookup or SNIConfigParams
   SSL_CTX *_server_ssl_ctx = nullptr;
   SSL_CTX *_client_ssl_ctx = nullptr;
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 89df43c..5032858 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1330,6 +1330,10 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.quic.stateless_retry", RECD_INT, "0", RECU_RESTART_TS, RR_NULL,
RECC_INT, "[0-1]", RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.quic.server.supported_groups", RECD_STRING, "P-256:X25519:P-384:P-521"
, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  ,
+  {RECT_CONFIG, "proxy.config.quic.client.supported_groups", RECD_STRING, "P-256:X25519:P-384:P-521"
, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  ,
 
   //# Add LOCAL Records Here
   {RECT_LOCAL, "proxy.local.incoming_ip_to_bind", RECD_STRING, nullptr, RECU_NULL, RR_NULL,
RECC_NULL, nullptr, RECA_NULL}

-- 
To stop receiving notification emails like this one, please contact
masaori@apache.org.

Mime
View raw message