Compare commits
7 Commits
master
...
tls13-earl
Author | SHA1 | Date |
---|---|---|
Tatsuhiro Tsujikawa | 66eba46c8e | |
Tatsuhiro Tsujikawa | abcdca91ba | |
Tatsuhiro Tsujikawa | 5e59577e93 | |
Tatsuhiro Tsujikawa | 8c6612d338 | |
Tatsuhiro Tsujikawa | b71d9ea58e | |
Tatsuhiro Tsujikawa | aca99d42f1 | |
Tatsuhiro Tsujikawa | 90a9a804d0 |
|
@ -31,6 +31,7 @@ HEADERS = [
|
||||||
"user-agent",
|
"user-agent",
|
||||||
"date",
|
"date",
|
||||||
"content-type",
|
"content-type",
|
||||||
|
"nghttpx-0rtt-uniq",
|
||||||
# disallowed h1 headers
|
# disallowed h1 headers
|
||||||
'connection',
|
'connection',
|
||||||
'keep-alive',
|
'keep-alive',
|
||||||
|
|
|
@ -168,6 +168,11 @@ OPTIONS = [
|
||||||
"no-strip-incoming-x-forwarded-proto",
|
"no-strip-incoming-x-forwarded-proto",
|
||||||
"ocsp-startup",
|
"ocsp-startup",
|
||||||
"no-verify-ocsp",
|
"no-verify-ocsp",
|
||||||
|
"tls-anti-replay-memcached",
|
||||||
|
"tls-anti-replay-memcached-cert-file",
|
||||||
|
"tls-anti-replay-memcached-private-key-file",
|
||||||
|
"tls-anti-replay-memcached-address-family",
|
||||||
|
"no-strip-incoming-nghttpx-0rtt-uniq",
|
||||||
]
|
]
|
||||||
|
|
||||||
LOGVARS = [
|
LOGVARS = [
|
||||||
|
|
10
src/http2.cc
10
src/http2.cc
|
@ -434,6 +434,11 @@ void copy_headers_to_nva_internal(std::vector<nghttp2_nv> &nva,
|
||||||
kv = &(*it_via);
|
kv = &(*it_via);
|
||||||
it_via = it;
|
it_via = it;
|
||||||
break;
|
break;
|
||||||
|
case HD_NGHTTPX_0RTT_UNIQ:
|
||||||
|
if (flags & HDOP_STRIP_NGHTTPX_ZERO_RTT_UNIQ) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
nva.push_back(
|
nva.push_back(
|
||||||
make_nv_internal(kv->name, kv->value, kv->no_index, nv_flags));
|
make_nv_internal(kv->name, kv->value, kv->no_index, nv_flags));
|
||||||
|
@ -920,6 +925,11 @@ int lookup_token(const uint8_t *name, size_t namelen) {
|
||||||
return HD_X_FORWARDED_PROTO;
|
return HD_X_FORWARDED_PROTO;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 'q':
|
||||||
|
if (util::streq_l("nghttpx-0rtt-uni", name, 16)) {
|
||||||
|
return HD_NGHTTPX_0RTT_UNIQ;
|
||||||
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -203,9 +203,13 @@ enum HeaderBuildOp {
|
||||||
// Via header fields must be stripped. If this flag is not set, all
|
// Via header fields must be stripped. If this flag is not set, all
|
||||||
// Via header fields other than last one are added.
|
// Via header fields other than last one are added.
|
||||||
HDOP_STRIP_VIA = 1 << 3,
|
HDOP_STRIP_VIA = 1 << 3,
|
||||||
|
// nghttpx-0rtt-uniq header fields must be stripped. If this flag
|
||||||
|
// is not set, all nghttpx-0rtt-uniq header fields are added.
|
||||||
|
HDOP_STRIP_NGHTTPX_ZERO_RTT_UNIQ = 1 << 4,
|
||||||
// Strip above all header fields.
|
// Strip above all header fields.
|
||||||
HDOP_STRIP_ALL = HDOP_STRIP_FORWARDED | HDOP_STRIP_X_FORWARDED_FOR |
|
HDOP_STRIP_ALL = HDOP_STRIP_FORWARDED | HDOP_STRIP_X_FORWARDED_FOR |
|
||||||
HDOP_STRIP_X_FORWARDED_PROTO | HDOP_STRIP_VIA,
|
HDOP_STRIP_X_FORWARDED_PROTO | HDOP_STRIP_VIA |
|
||||||
|
HDOP_STRIP_NGHTTPX_ZERO_RTT_UNIQ,
|
||||||
};
|
};
|
||||||
|
|
||||||
// Appends headers in |headers| to |nv|. |headers| must be indexed
|
// Appends headers in |headers| to |nv|. |headers| must be indexed
|
||||||
|
@ -312,6 +316,7 @@ enum {
|
||||||
HD_KEEP_ALIVE,
|
HD_KEEP_ALIVE,
|
||||||
HD_LINK,
|
HD_LINK,
|
||||||
HD_LOCATION,
|
HD_LOCATION,
|
||||||
|
HD_NGHTTPX_0RTT_UNIQ,
|
||||||
HD_PROXY_CONNECTION,
|
HD_PROXY_CONNECTION,
|
||||||
HD_SERVER,
|
HD_SERVER,
|
||||||
HD_TE,
|
HD_TE,
|
||||||
|
|
85
src/shrpx.cc
85
src/shrpx.cc
|
@ -1438,6 +1438,12 @@ void fill_default_config(Config *config) {
|
||||||
memcachedconf.family = AF_UNSPEC;
|
memcachedconf.family = AF_UNSPEC;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
auto &anti_replayconf = tlsconf.anti_replay;
|
||||||
|
{
|
||||||
|
auto &memcachedconf = anti_replayconf.memcached;
|
||||||
|
memcachedconf.family = AF_UNSPEC;
|
||||||
|
}
|
||||||
|
|
||||||
ticketconf.cipher = EVP_aes_128_cbc();
|
ticketconf.cipher = EVP_aes_128_cbc();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1480,6 +1486,7 @@ void fill_default_config(Config *config) {
|
||||||
httpconf.max_requests = std::numeric_limits<size_t>::max();
|
httpconf.max_requests = std::numeric_limits<size_t>::max();
|
||||||
httpconf.xfp.add = true;
|
httpconf.xfp.add = true;
|
||||||
httpconf.xfp.strip_incoming = true;
|
httpconf.xfp.strip_incoming = true;
|
||||||
|
httpconf.zero_rtt_uniq.strip_incoming = true;
|
||||||
|
|
||||||
auto &http2conf = config->http2;
|
auto &http2conf = config->http2;
|
||||||
{
|
{
|
||||||
|
@ -2284,6 +2291,25 @@ SSL/TLS:
|
||||||
--tls-session-cache-memcached-private-key-file=<PATH>
|
--tls-session-cache-memcached-private-key-file=<PATH>
|
||||||
Path to client private key for memcached connections to
|
Path to client private key for memcached connections to
|
||||||
store session cache.
|
store session cache.
|
||||||
|
--tls-anti-replay-memcached=<HOST>,<PORT>[;tls]
|
||||||
|
Specify address of memcached server to store ClientHello
|
||||||
|
to avoid 0-RTT early data replay. This enables shared
|
||||||
|
storage between multiple nghttpx instances. Optionally,
|
||||||
|
memcached connection can be encrypted with TLS by
|
||||||
|
specifying "tls" parameter.
|
||||||
|
--tls-anti-replay-memcached-address-family=(auto|IPv4|IPv6)
|
||||||
|
Specify address family of memcached connections to store
|
||||||
|
ClientHello to avoid 0-RTT early data replay. If "auto"
|
||||||
|
is given, both IPv4 and IPv6 are considered. If "IPv4"
|
||||||
|
is given, only IPv4 address is considered. If "IPv6" is
|
||||||
|
given, only IPv6 address is considered.
|
||||||
|
Default: auto
|
||||||
|
--tls-anti-replay-memcached-cert-file=<PATH>
|
||||||
|
Path to client certificate for memcached connections to
|
||||||
|
store ClientHello to avoid 0-RTT early data replay.
|
||||||
|
--tls-anti-replay-memcached-private-key-file=<PATH>
|
||||||
|
Path to client private key for memcached connections to
|
||||||
|
store ClientHello to avoid 0-RTT early data replay.
|
||||||
--tls-dyn-rec-warmup-threshold=<SIZE>
|
--tls-dyn-rec-warmup-threshold=<SIZE>
|
||||||
Specify the threshold size for TLS dynamic record size
|
Specify the threshold size for TLS dynamic record size
|
||||||
behaviour. During a TLS session, after the threshold
|
behaviour. During a TLS session, after the threshold
|
||||||
|
@ -2590,6 +2616,9 @@ HTTP:
|
||||||
Default: obfuscated
|
Default: obfuscated
|
||||||
--no-via Don't append to Via header field. If Via header field
|
--no-via Don't append to Via header field. If Via header field
|
||||||
is received, it is left unaltered.
|
is received, it is left unaltered.
|
||||||
|
--no-strip-incoming-nghttpx-0rtt-uniq
|
||||||
|
Don't strip nghttpx-0rtt-uniq header field from inbound
|
||||||
|
client requests.
|
||||||
--no-location-rewrite
|
--no-location-rewrite
|
||||||
Don't rewrite location header field in default mode.
|
Don't rewrite location header field in default mode.
|
||||||
When --http2-proxy is used, location header field will
|
When --http2-proxy is used, location header field will
|
||||||
|
@ -2995,6 +3024,26 @@ int process_options(Config *config,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
auto &memcachedconf = tlsconf.anti_replay.memcached;
|
||||||
|
if (!memcachedconf.host.empty()) {
|
||||||
|
auto hostport = util::make_hostport(StringRef{memcachedconf.host},
|
||||||
|
memcachedconf.port);
|
||||||
|
if (resolve_hostname(&memcachedconf.addr, memcachedconf.host.c_str(),
|
||||||
|
memcachedconf.port, memcachedconf.family) == -1) {
|
||||||
|
LOG(FATAL) << "Resolving memcached address for TLS anti-replay failed: "
|
||||||
|
<< hostport;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
LOG(NOTICE) << "Memcached address for TLS anti-replay: " << hostport
|
||||||
|
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
|
||||||
|
if (memcachedconf.tls) {
|
||||||
|
LOG(NOTICE) << "Connection to memcached for TLS anti-replay will be "
|
||||||
|
"encrypted by TLS";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (config->rlimit_nofile) {
|
if (config->rlimit_nofile) {
|
||||||
struct rlimit lim = {static_cast<rlim_t>(config->rlimit_nofile),
|
struct rlimit lim = {static_cast<rlim_t>(config->rlimit_nofile),
|
||||||
static_cast<rlim_t>(config->rlimit_nofile)};
|
static_cast<rlim_t>(config->rlimit_nofile)};
|
||||||
|
@ -3404,6 +3453,16 @@ int main(int argc, char **argv) {
|
||||||
{SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO.c_str(), no_argument,
|
{SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO.c_str(), no_argument,
|
||||||
&flag, 158},
|
&flag, 158},
|
||||||
{SHRPX_OPT_SINGLE_PROCESS.c_str(), no_argument, &flag, 159},
|
{SHRPX_OPT_SINGLE_PROCESS.c_str(), no_argument, &flag, 159},
|
||||||
|
{SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED.c_str(), required_argument, &flag,
|
||||||
|
160},
|
||||||
|
{SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_ADDRESS_FAMILY.c_str(),
|
||||||
|
required_argument, &flag, 161},
|
||||||
|
{SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_CERT_FILE.c_str(),
|
||||||
|
required_argument, &flag, 162},
|
||||||
|
{SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_PRIVATE_KEY_FILE.c_str(),
|
||||||
|
required_argument, &flag, 163},
|
||||||
|
{SHRPX_OPT_NO_STRIP_INCOMING_NGHTTPX_0RTT_UNIQ.c_str(), no_argument,
|
||||||
|
&flag, 164},
|
||||||
{nullptr, 0, nullptr, 0}};
|
{nullptr, 0, nullptr, 0}};
|
||||||
|
|
||||||
int option_index = 0;
|
int option_index = 0;
|
||||||
|
@ -4165,6 +4224,32 @@ int main(int argc, char **argv) {
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_SINGLE_PROCESS,
|
cmdcfgs.emplace_back(SHRPX_OPT_SINGLE_PROCESS,
|
||||||
StringRef::from_lit("yes"));
|
StringRef::from_lit("yes"));
|
||||||
break;
|
break;
|
||||||
|
case 160:
|
||||||
|
// --tls-anti-replay-memcached
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED,
|
||||||
|
StringRef{optarg});
|
||||||
|
break;
|
||||||
|
case 161:
|
||||||
|
// --tls-anti-replay-memcached-address-family
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_ADDRESS_FAMILY,
|
||||||
|
StringRef{optarg});
|
||||||
|
break;
|
||||||
|
case 162:
|
||||||
|
// --tls-anti-replay-memcached-cert-file
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_CERT_FILE,
|
||||||
|
StringRef{optarg});
|
||||||
|
break;
|
||||||
|
case 163:
|
||||||
|
// --tls-anti-replay-memcached-private-key-file
|
||||||
|
cmdcfgs.emplace_back(
|
||||||
|
SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_PRIVATE_KEY_FILE,
|
||||||
|
StringRef{optarg});
|
||||||
|
break;
|
||||||
|
case 164:
|
||||||
|
// --no-strip-incoming-nghttpx-0rtt-uniq
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_NO_STRIP_INCOMING_NGHTTPX_0RTT_UNIQ,
|
||||||
|
StringRef::from_lit("yes"));
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2072,6 +2072,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
break;
|
break;
|
||||||
case 25:
|
case 25:
|
||||||
switch (name[24]) {
|
switch (name[24]) {
|
||||||
|
case 'd':
|
||||||
|
if (util::strieq_l("tls-anti-replay-memcache", name, 24)) {
|
||||||
|
return SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 'e':
|
case 'e':
|
||||||
if (util::strieq_l("backend-http2-window-siz", name, 24)) {
|
if (util::strieq_l("backend-http2-window-siz", name, 24)) {
|
||||||
return SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE;
|
return SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE;
|
||||||
|
@ -2255,12 +2260,20 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
if (util::strieq_l("frontend-http2-optimize-window-siz", name, 34)) {
|
if (util::strieq_l("frontend-http2-optimize-window-siz", name, 34)) {
|
||||||
return SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE;
|
return SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE;
|
||||||
}
|
}
|
||||||
|
if (util::strieq_l("tls-anti-replay-memcached-cert-fil", name, 34)) {
|
||||||
|
return SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_CERT_FILE;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case 'o':
|
case 'o':
|
||||||
if (util::strieq_l("no-strip-incoming-x-forwarded-prot", name, 34)) {
|
if (util::strieq_l("no-strip-incoming-x-forwarded-prot", name, 34)) {
|
||||||
return SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO;
|
return SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 'q':
|
||||||
|
if (util::strieq_l("no-strip-incoming-nghttpx-0rtt-uni", name, 34)) {
|
||||||
|
return SHRPX_OPTID_NO_STRIP_INCOMING_NGHTTPX_0RTT_UNIQ;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 'r':
|
case 'r':
|
||||||
if (util::strieq_l("frontend-http2-dump-response-heade", name, 34)) {
|
if (util::strieq_l("frontend-http2-dump-response-heade", name, 34)) {
|
||||||
return SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER;
|
return SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER;
|
||||||
|
@ -2338,6 +2351,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
return SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE;
|
return SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 'y':
|
||||||
|
if (util::strieq_l("tls-anti-replay-memcached-address-famil", name, 39)) {
|
||||||
|
return SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_ADDRESS_FAMILY;
|
||||||
|
}
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 41:
|
case 41:
|
||||||
|
@ -2364,6 +2382,12 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
break;
|
break;
|
||||||
case 42:
|
case 42:
|
||||||
switch (name[41]) {
|
switch (name[41]) {
|
||||||
|
case 'e':
|
||||||
|
if (util::strieq_l("tls-anti-replay-memcached-private-key-fil", name,
|
||||||
|
41)) {
|
||||||
|
return SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_PRIVATE_KEY_FILE;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 'y':
|
case 'y':
|
||||||
if (util::strieq_l("tls-session-cache-memcached-address-famil", name,
|
if (util::strieq_l("tls-session-cache-memcached-address-famil", name,
|
||||||
41)) {
|
41)) {
|
||||||
|
@ -3153,7 +3177,8 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED:
|
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED:
|
||||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
|
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED:
|
||||||
|
case SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED: {
|
||||||
auto addr_end = std::find(std::begin(optarg), std::end(optarg), ';');
|
auto addr_end = std::find(std::begin(optarg), std::end(optarg), ';');
|
||||||
auto src_params = StringRef{addr_end, std::end(optarg)};
|
auto src_params = StringRef{addr_end, std::end(optarg)};
|
||||||
|
|
||||||
|
@ -3183,6 +3208,13 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
memcachedconf.tls = params.tls;
|
memcachedconf.tls = params.tls;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
case SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED: {
|
||||||
|
auto &memcachedconf = config->tls.anti_replay.memcached;
|
||||||
|
memcachedconf.host = make_string_ref(config->balloc, StringRef{host});
|
||||||
|
memcachedconf.port = port;
|
||||||
|
memcachedconf.tls = params.tls;
|
||||||
|
break;
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -3330,6 +3362,16 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
config->tls.ticket.memcached.private_key_file =
|
config->tls.ticket.memcached.private_key_file =
|
||||||
make_string_ref(config->balloc, optarg);
|
make_string_ref(config->balloc, optarg);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
case SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_CERT_FILE:
|
||||||
|
config->tls.anti_replay.memcached.cert_file =
|
||||||
|
make_string_ref(config->balloc, optarg);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
case SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_PRIVATE_KEY_FILE:
|
||||||
|
config->tls.anti_replay.memcached.private_key_file =
|
||||||
|
make_string_ref(config->balloc, optarg);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY:
|
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY:
|
||||||
return parse_address_family(&config->tls.ticket.memcached.family, opt,
|
return parse_address_family(&config->tls.ticket.memcached.family, opt,
|
||||||
|
@ -3337,6 +3379,9 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY:
|
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY:
|
||||||
return parse_address_family(&config->tls.session_cache.memcached.family,
|
return parse_address_family(&config->tls.session_cache.memcached.family,
|
||||||
opt, optarg);
|
opt, optarg);
|
||||||
|
case SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_ADDRESS_FAMILY:
|
||||||
|
return parse_address_family(&config->tls.anti_replay.memcached.family, opt,
|
||||||
|
optarg);
|
||||||
case SHRPX_OPTID_BACKEND_ADDRESS_FAMILY:
|
case SHRPX_OPTID_BACKEND_ADDRESS_FAMILY:
|
||||||
return parse_address_family(&config->conn.downstream->family, opt, optarg);
|
return parse_address_family(&config->conn.downstream->family, opt, optarg);
|
||||||
case SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS:
|
case SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS:
|
||||||
|
@ -3550,6 +3595,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
case SHRPX_OPTID_NO_VERIFY_OCSP:
|
case SHRPX_OPTID_NO_VERIFY_OCSP:
|
||||||
config->tls.ocsp.no_verify = util::strieq_l("yes", optarg);
|
config->tls.ocsp.no_verify = util::strieq_l("yes", optarg);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
case SHRPX_OPTID_NO_STRIP_INCOMING_NGHTTPX_0RTT_UNIQ:
|
||||||
|
config->http.zero_rtt_uniq.strip_incoming = !util::strieq_l("yes", optarg);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_CONF:
|
case SHRPX_OPTID_CONF:
|
||||||
LOG(WARN) << "conf: ignored";
|
LOG(WARN) << "conf: ignored";
|
||||||
|
|
|
@ -343,6 +343,16 @@ constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO =
|
||||||
StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
|
StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
|
||||||
constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
|
constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
|
||||||
constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
|
constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
|
||||||
|
constexpr auto SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED =
|
||||||
|
StringRef::from_lit("tls-anti-replay-memcached");
|
||||||
|
constexpr auto SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_CERT_FILE =
|
||||||
|
StringRef::from_lit("tls-anti-replay-memcached-cert-file");
|
||||||
|
constexpr auto SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_PRIVATE_KEY_FILE =
|
||||||
|
StringRef::from_lit("tls-anti-replay-memcached-private-key-file");
|
||||||
|
constexpr auto SHRPX_OPT_TLS_ANTI_REPLAY_MEMCACHED_ADDRESS_FAMILY =
|
||||||
|
StringRef::from_lit("tls-anti-replay-memcached-address-family");
|
||||||
|
constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_NGHTTPX_0RTT_UNIQ =
|
||||||
|
StringRef::from_lit("no-strip-incoming-nghttpx-0rtt-uniq");
|
||||||
|
|
||||||
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
||||||
|
|
||||||
|
@ -577,6 +587,23 @@ struct TLSConfig {
|
||||||
} memcached;
|
} memcached;
|
||||||
} session_cache;
|
} session_cache;
|
||||||
|
|
||||||
|
struct {
|
||||||
|
struct {
|
||||||
|
Address addr;
|
||||||
|
uint16_t port;
|
||||||
|
// Hostname of memcached server. This is also used as SNI field
|
||||||
|
// if TLS is enabled.
|
||||||
|
StringRef host;
|
||||||
|
// Client private key and certificate for authentication
|
||||||
|
StringRef private_key_file;
|
||||||
|
StringRef cert_file;
|
||||||
|
// Address family of memcached connection. One of either
|
||||||
|
// AF_INET, AF_INET6 or AF_UNSPEC.
|
||||||
|
int family;
|
||||||
|
bool tls;
|
||||||
|
} memcached;
|
||||||
|
} anti_replay;
|
||||||
|
|
||||||
// Dynamic record sizing configurations
|
// Dynamic record sizing configurations
|
||||||
struct {
|
struct {
|
||||||
size_t warmup_threshold;
|
size_t warmup_threshold;
|
||||||
|
@ -679,6 +706,9 @@ struct HttpConfig {
|
||||||
bool add;
|
bool add;
|
||||||
bool strip_incoming;
|
bool strip_incoming;
|
||||||
} xfp;
|
} xfp;
|
||||||
|
struct {
|
||||||
|
bool strip_incoming;
|
||||||
|
} zero_rtt_uniq;
|
||||||
std::vector<AltSvc> altsvcs;
|
std::vector<AltSvc> altsvcs;
|
||||||
std::vector<ErrorPage> error_pages;
|
std::vector<ErrorPage> error_pages;
|
||||||
HeaderRefs add_request_headers;
|
HeaderRefs add_request_headers;
|
||||||
|
@ -1071,6 +1101,7 @@ enum {
|
||||||
SHRPX_OPTID_NO_OCSP,
|
SHRPX_OPTID_NO_OCSP,
|
||||||
SHRPX_OPTID_NO_SERVER_PUSH,
|
SHRPX_OPTID_NO_SERVER_PUSH,
|
||||||
SHRPX_OPTID_NO_SERVER_REWRITE,
|
SHRPX_OPTID_NO_SERVER_REWRITE,
|
||||||
|
SHRPX_OPTID_NO_STRIP_INCOMING_NGHTTPX_0RTT_UNIQ,
|
||||||
SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO,
|
SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO,
|
||||||
SHRPX_OPTID_NO_VERIFY_OCSP,
|
SHRPX_OPTID_NO_VERIFY_OCSP,
|
||||||
SHRPX_OPTID_NO_VIA,
|
SHRPX_OPTID_NO_VIA,
|
||||||
|
@ -1097,6 +1128,10 @@ enum {
|
||||||
SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR,
|
SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR,
|
||||||
SHRPX_OPTID_SUBCERT,
|
SHRPX_OPTID_SUBCERT,
|
||||||
SHRPX_OPTID_SYSLOG_FACILITY,
|
SHRPX_OPTID_SYSLOG_FACILITY,
|
||||||
|
SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED,
|
||||||
|
SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_ADDRESS_FAMILY,
|
||||||
|
SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_CERT_FILE,
|
||||||
|
SHRPX_OPTID_TLS_ANTI_REPLAY_MEMCACHED_PRIVATE_KEY_FILE,
|
||||||
SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT,
|
SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT,
|
||||||
SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD,
|
SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD,
|
||||||
SHRPX_OPTID_TLS_MAX_PROTO_VERSION,
|
SHRPX_OPTID_TLS_MAX_PROTO_VERSION,
|
||||||
|
|
|
@ -38,7 +38,6 @@
|
||||||
#include "shrpx_log.h"
|
#include "shrpx_log.h"
|
||||||
#include "memchunk.h"
|
#include "memchunk.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "ssl_compat.h"
|
|
||||||
|
|
||||||
using namespace nghttp2;
|
using namespace nghttp2;
|
||||||
|
|
||||||
|
@ -60,7 +59,8 @@ Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl,
|
||||||
IOCb readcb, TimerCb timeoutcb, void *data,
|
IOCb readcb, TimerCb timeoutcb, void *data,
|
||||||
size_t tls_dyn_rec_warmup_threshold,
|
size_t tls_dyn_rec_warmup_threshold,
|
||||||
ev_tstamp tls_dyn_rec_idle_timeout, shrpx_proto proto)
|
ev_tstamp tls_dyn_rec_idle_timeout, shrpx_proto proto)
|
||||||
: tls{DefaultMemchunks(mcpool), DefaultPeekMemchunks(mcpool)},
|
: tls{DefaultMemchunks(mcpool), DefaultPeekMemchunks(mcpool),
|
||||||
|
DefaultMemchunks(mcpool)},
|
||||||
wlimit(loop, &wev, write_limit.rate, write_limit.burst),
|
wlimit(loop, &wev, write_limit.rate, write_limit.burst),
|
||||||
rlimit(loop, &rev, read_limit.rate, read_limit.burst, this),
|
rlimit(loop, &rev, read_limit.rate, read_limit.burst, this),
|
||||||
loop(loop),
|
loop(loop),
|
||||||
|
@ -92,7 +92,15 @@ Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Connection::~Connection() { disconnect(); }
|
Connection::~Connection() {
|
||||||
|
disconnect();
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (tls.ch_md_ctx) {
|
||||||
|
EVP_MD_CTX_free(tls.ch_md_ctx);
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
}
|
||||||
|
|
||||||
void Connection::disconnect() {
|
void Connection::disconnect() {
|
||||||
if (tls.ssl) {
|
if (tls.ssl) {
|
||||||
|
@ -110,20 +118,34 @@ void Connection::disconnect() {
|
||||||
tls.cached_session_lookup_req = nullptr;
|
tls.cached_session_lookup_req = nullptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (tls.anti_replay_req) {
|
||||||
|
tls.anti_replay_req->canceled = true;
|
||||||
|
tls.anti_replay_req = nullptr;
|
||||||
|
}
|
||||||
|
|
||||||
SSL_shutdown(tls.ssl);
|
SSL_shutdown(tls.ssl);
|
||||||
SSL_free(tls.ssl);
|
SSL_free(tls.ssl);
|
||||||
tls.ssl = nullptr;
|
tls.ssl = nullptr;
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (tls.ch_md_ctx) {
|
||||||
|
EVP_MD_CTX_reset(tls.ch_md_ctx);
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
tls.wbuf.reset();
|
tls.wbuf.reset();
|
||||||
tls.rbuf.reset();
|
tls.rbuf.reset();
|
||||||
tls.last_write_idle = 0.;
|
tls.last_write_idle = 0.;
|
||||||
tls.warmup_writelen = 0;
|
tls.warmup_writelen = 0;
|
||||||
tls.last_writelen = 0;
|
tls.last_writelen = 0;
|
||||||
tls.last_readlen = 0;
|
tls.last_readlen = 0;
|
||||||
tls.handshake_state = 0;
|
tls.handshake_state = TLS_CONN_NORMAL;
|
||||||
tls.initial_handshake_done = false;
|
tls.initial_handshake_done = false;
|
||||||
tls.reneg_started = false;
|
tls.reneg_started = false;
|
||||||
tls.sct_requested = false;
|
tls.sct_requested = false;
|
||||||
|
tls.early_data_finish = false;
|
||||||
|
tls.early_cb_called = false;
|
||||||
|
tls.postpone_early_data = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (fd != -1) {
|
if (fd != -1) {
|
||||||
|
@ -141,11 +163,23 @@ void Connection::disconnect() {
|
||||||
wlimit.stopw();
|
wlimit.stopw();
|
||||||
}
|
}
|
||||||
|
|
||||||
void Connection::prepare_client_handshake() { SSL_set_connect_state(tls.ssl); }
|
void Connection::prepare_client_handshake() {
|
||||||
|
SSL_set_connect_state(tls.ssl);
|
||||||
|
// This prevents SSL_read_early_data from being called.
|
||||||
|
tls.early_data_finish = true;
|
||||||
|
}
|
||||||
|
|
||||||
void Connection::prepare_server_handshake() {
|
void Connection::prepare_server_handshake() {
|
||||||
SSL_set_accept_state(tls.ssl);
|
SSL_set_accept_state(tls.ssl);
|
||||||
tls.server_handshake = true;
|
tls.server_handshake = true;
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (!tls.ch_md_ctx) {
|
||||||
|
tls.ch_md_ctx = EVP_MD_CTX_new();
|
||||||
|
}
|
||||||
|
|
||||||
|
EVP_DigestInit_ex(tls.ch_md_ctx, EVP_sha256(), nullptr);
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
}
|
}
|
||||||
|
|
||||||
// BIO implementation is inspired by openldap implementation:
|
// BIO implementation is inspired by openldap implementation:
|
||||||
|
@ -219,7 +253,19 @@ int shrpx_bio_read(BIO *b, char *buf, int len) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
return rbuf.remove(buf, len);
|
len = rbuf.remove(buf, len);
|
||||||
|
|
||||||
|
if (conn->tls.early_cb_called) {
|
||||||
|
return len;
|
||||||
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (EVP_DigestUpdate(conn->tls.ch_md_ctx, buf, len) == 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
|
return len;
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
|
@ -327,8 +373,9 @@ int Connection::tls_handshake() {
|
||||||
wlimit.stopw();
|
wlimit.stopw();
|
||||||
ev_timer_stop(loop, &wt);
|
ev_timer_stop(loop, &wt);
|
||||||
|
|
||||||
|
std::array<uint8_t, 16_k> buf;
|
||||||
|
|
||||||
if (ev_is_active(&rev)) {
|
if (ev_is_active(&rev)) {
|
||||||
std::array<uint8_t, 8_k> buf;
|
|
||||||
auto nread = read_clear(buf.data(), buf.size());
|
auto nread = read_clear(buf.data(), buf.size());
|
||||||
if (nread < 0) {
|
if (nread < 0) {
|
||||||
if (LOG_ENABLED(INFO)) {
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
@ -348,6 +395,7 @@ int Connection::tls_handshake() {
|
||||||
|
|
||||||
switch (tls.handshake_state) {
|
switch (tls.handshake_state) {
|
||||||
case TLS_CONN_WAIT_FOR_SESSION_CACHE:
|
case TLS_CONN_WAIT_FOR_SESSION_CACHE:
|
||||||
|
case TLS_CONN_WAIT_FOR_ANTI_REPLAY:
|
||||||
return SHRPX_ERR_INPROGRESS;
|
return SHRPX_ERR_INPROGRESS;
|
||||||
case TLS_CONN_GOT_SESSION_CACHE: {
|
case TLS_CONN_GOT_SESSION_CACHE: {
|
||||||
// Use the same trick invented by @kazuho in h2o project.
|
// Use the same trick invented by @kazuho in h2o project.
|
||||||
|
@ -381,9 +429,73 @@ int Connection::tls_handshake() {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int rv;
|
||||||
|
|
||||||
ERR_clear_error();
|
ERR_clear_error();
|
||||||
|
|
||||||
auto rv = SSL_do_handshake(tls.ssl);
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (!tls.server_handshake || tls.early_data_finish) {
|
||||||
|
rv = SSL_do_handshake(tls.ssl);
|
||||||
|
} else {
|
||||||
|
for (;;) {
|
||||||
|
size_t nread;
|
||||||
|
|
||||||
|
rv = SSL_read_early_data(tls.ssl, buf.data(), buf.size(), &nread);
|
||||||
|
if (rv == SSL_READ_EARLY_DATA_ERROR) {
|
||||||
|
if (SSL_get_error(tls.ssl, rv) == SSL_ERROR_WANT_CLIENT_HELLO_CB) {
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO)
|
||||||
|
<< "tls: early_cb returns negative return value; handshake "
|
||||||
|
"interrupted";
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we have early data, and server sends ServerHello, assume
|
||||||
|
// that handshake is completed in server side, and start
|
||||||
|
// processing request. If we don't exit handshake code here,
|
||||||
|
// server waits for EndOfEarlyData and Finished message from
|
||||||
|
// client, which voids the purpose of 0-RTT data. The left
|
||||||
|
// over of handshake is done through write_tls or read_tls.
|
||||||
|
if (!tls.postpone_early_data &&
|
||||||
|
(tls.handshake_state == TLS_CONN_WRITE_STARTED ||
|
||||||
|
tls.wbuf.rleft()) &&
|
||||||
|
tls.earlybuf.rleft()) {
|
||||||
|
rv = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "tls: read early data " << nread << " bytes";
|
||||||
|
}
|
||||||
|
|
||||||
|
tls.earlybuf.append(buf.data(), nread);
|
||||||
|
|
||||||
|
if (rv == SSL_READ_EARLY_DATA_FINISH) {
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "tls: read all early data; total "
|
||||||
|
<< tls.earlybuf.rleft() << " bytes";
|
||||||
|
}
|
||||||
|
tls.early_data_finish = true;
|
||||||
|
// The same reason stated above.
|
||||||
|
if (!tls.postpone_early_data &&
|
||||||
|
(tls.handshake_state == TLS_CONN_WRITE_STARTED ||
|
||||||
|
tls.wbuf.rleft()) &&
|
||||||
|
tls.earlybuf.rleft()) {
|
||||||
|
rv = 1;
|
||||||
|
} else {
|
||||||
|
ERR_clear_error();
|
||||||
|
rv = SSL_do_handshake(tls.ssl);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#else // !OPENSSL_1_1_1_API
|
||||||
|
rv = SSL_do_handshake(tls.ssl);
|
||||||
|
#endif // !OPENSSL_1_1_1_API
|
||||||
|
|
||||||
if (rv <= 0) {
|
if (rv <= 0) {
|
||||||
auto err = SSL_get_error(tls.ssl, rv);
|
auto err = SSL_get_error(tls.ssl, rv);
|
||||||
|
@ -397,6 +509,9 @@ int Connection::tls_handshake() {
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SSL_ERROR_WANT_WRITE:
|
case SSL_ERROR_WANT_WRITE:
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
case SSL_ERROR_WANT_CLIENT_HELLO_CB:
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
break;
|
break;
|
||||||
case SSL_ERROR_SSL:
|
case SSL_ERROR_SSL:
|
||||||
if (LOG_ENABLED(INFO)) {
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
@ -412,7 +527,8 @@ int Connection::tls_handshake() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tls.handshake_state == TLS_CONN_WAIT_FOR_SESSION_CACHE) {
|
if (tls.handshake_state == TLS_CONN_WAIT_FOR_SESSION_CACHE ||
|
||||||
|
tls.handshake_state == TLS_CONN_WAIT_FOR_ANTI_REPLAY) {
|
||||||
if (LOG_ENABLED(INFO)) {
|
if (LOG_ENABLED(INFO)) {
|
||||||
LOG(INFO) << "tls: handshake is still in progress";
|
LOG(INFO) << "tls: handshake is still in progress";
|
||||||
}
|
}
|
||||||
|
@ -619,7 +735,21 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
|
||||||
|
|
||||||
ERR_clear_error();
|
ERR_clear_error();
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
int rv;
|
||||||
|
if (SSL_is_init_finished(tls.ssl)) {
|
||||||
|
rv = SSL_write(tls.ssl, data, len);
|
||||||
|
} else {
|
||||||
|
size_t nwrite;
|
||||||
|
rv = SSL_write_early_data(tls.ssl, data, len, &nwrite);
|
||||||
|
// Use the same semantics with SSL_write.
|
||||||
|
if (rv == 1) {
|
||||||
|
rv = nwrite;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#else // !OPENSSL_1_1_1_API
|
||||||
auto rv = SSL_write(tls.ssl, data, len);
|
auto rv = SSL_write(tls.ssl, data, len);
|
||||||
|
#endif // !OPENSSL_1_1_1_API
|
||||||
|
|
||||||
if (rv <= 0) {
|
if (rv <= 0) {
|
||||||
auto err = SSL_get_error(tls.ssl, rv);
|
auto err = SSL_get_error(tls.ssl, rv);
|
||||||
|
@ -654,6 +784,14 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
|
||||||
}
|
}
|
||||||
|
|
||||||
ssize_t Connection::read_tls(void *data, size_t len) {
|
ssize_t Connection::read_tls(void *data, size_t len) {
|
||||||
|
ERR_clear_error();
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (tls.earlybuf.rleft()) {
|
||||||
|
return tls.earlybuf.remove(data, len);
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
// SSL_read requires the same arguments (buf pointer and its
|
// SSL_read requires the same arguments (buf pointer and its
|
||||||
// length) on SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
|
// length) on SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
|
||||||
// rlimit_.avail() or rlimit_.avail() may return different length
|
// rlimit_.avail() or rlimit_.avail() may return different length
|
||||||
|
@ -671,7 +809,46 @@ ssize_t Connection::read_tls(void *data, size_t len) {
|
||||||
tls.last_readlen = 0;
|
tls.last_readlen = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ERR_clear_error();
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (!tls.early_data_finish) {
|
||||||
|
// TLSv1.3 handshake is still going on.
|
||||||
|
size_t nread;
|
||||||
|
auto rv = SSL_read_early_data(tls.ssl, data, len, &nread);
|
||||||
|
if (rv == SSL_READ_EARLY_DATA_ERROR) {
|
||||||
|
auto err = SSL_get_error(tls.ssl, rv);
|
||||||
|
switch (err) {
|
||||||
|
case SSL_ERROR_WANT_READ:
|
||||||
|
tls.last_readlen = len;
|
||||||
|
return 0;
|
||||||
|
case SSL_ERROR_SSL:
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "SSL_read: "
|
||||||
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||||
|
}
|
||||||
|
return SHRPX_ERR_NETWORK;
|
||||||
|
default:
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "SSL_read: SSL_get_error returned " << err;
|
||||||
|
}
|
||||||
|
return SHRPX_ERR_NETWORK;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "tls: read early data " << nread << " bytes";
|
||||||
|
}
|
||||||
|
|
||||||
|
if (rv == SSL_READ_EARLY_DATA_FINISH) {
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "tls: read all early data";
|
||||||
|
}
|
||||||
|
tls.early_data_finish = true;
|
||||||
|
// We may have stopped write watcher in write_tls.
|
||||||
|
wlimit.startw();
|
||||||
|
}
|
||||||
|
return nread;
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
auto rv = SSL_read(tls.ssl, data, len);
|
auto rv = SSL_read(tls.ssl, data, len);
|
||||||
|
|
||||||
|
|
|
@ -32,10 +32,12 @@
|
||||||
#include <ev.h>
|
#include <ev.h>
|
||||||
|
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
#include "shrpx_rate_limit.h"
|
#include "shrpx_rate_limit.h"
|
||||||
#include "shrpx_error.h"
|
#include "shrpx_error.h"
|
||||||
#include "memchunk.h"
|
#include "memchunk.h"
|
||||||
|
#include "ssl_compat.h"
|
||||||
|
|
||||||
namespace shrpx {
|
namespace shrpx {
|
||||||
|
|
||||||
|
@ -50,16 +52,26 @@ enum {
|
||||||
TLS_CONN_WAIT_FOR_SESSION_CACHE,
|
TLS_CONN_WAIT_FOR_SESSION_CACHE,
|
||||||
TLS_CONN_GOT_SESSION_CACHE,
|
TLS_CONN_GOT_SESSION_CACHE,
|
||||||
TLS_CONN_CANCEL_SESSION_CACHE,
|
TLS_CONN_CANCEL_SESSION_CACHE,
|
||||||
|
TLS_CONN_WAIT_FOR_ANTI_REPLAY,
|
||||||
TLS_CONN_WRITE_STARTED,
|
TLS_CONN_WRITE_STARTED,
|
||||||
};
|
};
|
||||||
|
|
||||||
struct TLSConnection {
|
struct TLSConnection {
|
||||||
DefaultMemchunks wbuf;
|
DefaultMemchunks wbuf;
|
||||||
DefaultPeekMemchunks rbuf;
|
DefaultPeekMemchunks rbuf;
|
||||||
|
// Stores TLSv1.3 early data.
|
||||||
|
DefaultMemchunks earlybuf;
|
||||||
|
// Message digest of ClientHello in hex string.
|
||||||
|
StringRef ch_hex_md;
|
||||||
SSL *ssl;
|
SSL *ssl;
|
||||||
SSL_SESSION *cached_session;
|
SSL_SESSION *cached_session;
|
||||||
MemcachedRequest *cached_session_lookup_req;
|
MemcachedRequest *cached_session_lookup_req;
|
||||||
tls::TLSSessionCache *client_session_cache;
|
tls::TLSSessionCache *client_session_cache;
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
// Message digest context to calculate ClientHello for anti-replay.
|
||||||
|
EVP_MD_CTX *ch_md_ctx;
|
||||||
|
#endif // !OPENSSL_1_1_1_API
|
||||||
|
MemcachedRequest *anti_replay_req;
|
||||||
ev_tstamp last_write_idle;
|
ev_tstamp last_write_idle;
|
||||||
size_t warmup_writelen;
|
size_t warmup_writelen;
|
||||||
// length passed to SSL_write and SSL_read last time. This is
|
// length passed to SSL_write and SSL_read last time. This is
|
||||||
|
@ -74,6 +86,17 @@ struct TLSConnection {
|
||||||
// true if ssl is initialized as server, and client requested
|
// true if ssl is initialized as server, and client requested
|
||||||
// signed_certificate_timestamp extension.
|
// signed_certificate_timestamp extension.
|
||||||
bool sct_requested;
|
bool sct_requested;
|
||||||
|
// true if TLSv1.3 early data has been completely received. Since
|
||||||
|
// SSL_read_early_data acts like SSL_do_handshake, this field may be
|
||||||
|
// true even if the negotiated TLS version is TLSv1.2 or earlier.
|
||||||
|
// This value is also true if this is client side connection for
|
||||||
|
// convenience.
|
||||||
|
bool early_data_finish;
|
||||||
|
// true if early_cb gets called.
|
||||||
|
bool early_cb_called;
|
||||||
|
// true if processing early data should be postponed until handshake
|
||||||
|
// finishes.
|
||||||
|
bool postpone_early_data;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct TCPHint {
|
struct TCPHint {
|
||||||
|
|
|
@ -235,9 +235,24 @@ int ConnectionHandler::create_single_worker() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
SSL_CTX *anti_replay_ssl_ctx = nullptr;
|
||||||
|
{
|
||||||
|
auto &memcachedconf = config->tls.anti_replay.memcached;
|
||||||
|
|
||||||
|
if (memcachedconf.tls) {
|
||||||
|
anti_replay_ssl_ctx = tls::create_ssl_client_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
nb_.get(),
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
tlsconf.cacert, memcachedconf.cert_file,
|
||||||
|
memcachedconf.private_key_file, nullptr);
|
||||||
|
all_ssl_ctx_.push_back(anti_replay_ssl_ctx);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
single_worker_ = make_unique<Worker>(
|
single_worker_ = make_unique<Worker>(
|
||||||
loop_, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(),
|
loop_, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, anti_replay_ssl_ctx,
|
||||||
ticket_keys_, this, config->conn.downstream);
|
cert_tree_.get(), ticket_keys_, this, config->conn.downstream);
|
||||||
#ifdef HAVE_MRUBY
|
#ifdef HAVE_MRUBY
|
||||||
if (single_worker_->create_mruby_context() != 0) {
|
if (single_worker_->create_mruby_context() != 0) {
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -293,12 +308,28 @@ int ConnectionHandler::create_worker_thread(size_t num) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
SSL_CTX *anti_replay_ssl_ctx = nullptr;
|
||||||
|
{
|
||||||
|
auto &memcachedconf = config->tls.anti_replay.memcached;
|
||||||
|
|
||||||
|
if (memcachedconf.tls) {
|
||||||
|
anti_replay_ssl_ctx = tls::create_ssl_client_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
nb_.get(),
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
tlsconf.cacert, memcachedconf.cert_file,
|
||||||
|
memcachedconf.private_key_file, nullptr);
|
||||||
|
all_ssl_ctx_.push_back(anti_replay_ssl_ctx);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
for (size_t i = 0; i < num; ++i) {
|
for (size_t i = 0; i < num; ++i) {
|
||||||
auto loop = ev_loop_new(config->ev_loop_flags);
|
auto loop = ev_loop_new(config->ev_loop_flags);
|
||||||
|
|
||||||
auto worker = make_unique<Worker>(
|
auto worker =
|
||||||
loop, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx, cert_tree_.get(),
|
make_unique<Worker>(loop, sv_ssl_ctx, cl_ssl_ctx, session_cache_ssl_ctx,
|
||||||
ticket_keys_, this, config->conn.downstream);
|
anti_replay_ssl_ctx, cert_tree_.get(), ticket_keys_,
|
||||||
|
this, config->conn.downstream);
|
||||||
#ifdef HAVE_MRUBY
|
#ifdef HAVE_MRUBY
|
||||||
if (worker->create_mruby_context() != 0) {
|
if (worker->create_mruby_context() != 0) {
|
||||||
return -1;
|
return -1;
|
||||||
|
|
|
@ -271,7 +271,7 @@ int Http2DownstreamConnection::push_request_headers() {
|
||||||
num_cookies = downstream_->count_crumble_request_cookie();
|
num_cookies = downstream_->count_crumble_request_cookie();
|
||||||
}
|
}
|
||||||
|
|
||||||
// 9 means:
|
// 10 means:
|
||||||
// 1. :method
|
// 1. :method
|
||||||
// 2. :scheme
|
// 2. :scheme
|
||||||
// 3. :path
|
// 3. :path
|
||||||
|
@ -281,8 +281,9 @@ int Http2DownstreamConnection::push_request_headers() {
|
||||||
// 7. x-forwarded-proto (optional)
|
// 7. x-forwarded-proto (optional)
|
||||||
// 8. te (optional)
|
// 8. te (optional)
|
||||||
// 9. forwarded (optional)
|
// 9. forwarded (optional)
|
||||||
|
// 10. nghttpx-0rtt-uniq (optional)
|
||||||
auto nva = std::vector<nghttp2_nv>();
|
auto nva = std::vector<nghttp2_nv>();
|
||||||
nva.reserve(req.fs.headers().size() + 9 + num_cookies +
|
nva.reserve(req.fs.headers().size() + 10 + num_cookies +
|
||||||
httpconf.add_request_headers.size());
|
httpconf.add_request_headers.size());
|
||||||
|
|
||||||
nva.push_back(
|
nva.push_back(
|
||||||
|
@ -311,11 +312,15 @@ int Http2DownstreamConnection::push_request_headers() {
|
||||||
auto &fwdconf = httpconf.forwarded;
|
auto &fwdconf = httpconf.forwarded;
|
||||||
auto &xffconf = httpconf.xff;
|
auto &xffconf = httpconf.xff;
|
||||||
auto &xfpconf = httpconf.xfp;
|
auto &xfpconf = httpconf.xfp;
|
||||||
|
auto &zero_rtt_uniqconf = httpconf.zero_rtt_uniq;
|
||||||
|
|
||||||
uint32_t build_flags =
|
uint32_t build_flags =
|
||||||
(fwdconf.strip_incoming ? http2::HDOP_STRIP_FORWARDED : 0) |
|
(fwdconf.strip_incoming ? http2::HDOP_STRIP_FORWARDED : 0) |
|
||||||
(xffconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_FOR : 0) |
|
(xffconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_FOR : 0) |
|
||||||
(xfpconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_PROTO : 0);
|
(xfpconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_PROTO : 0) |
|
||||||
|
(zero_rtt_uniqconf.strip_incoming
|
||||||
|
? http2::HDOP_STRIP_NGHTTPX_ZERO_RTT_UNIQ
|
||||||
|
: 0);
|
||||||
|
|
||||||
http2::copy_headers_to_nva_nocopy(nva, req.fs.headers(), build_flags);
|
http2::copy_headers_to_nva_nocopy(nva, req.fs.headers(), build_flags);
|
||||||
|
|
||||||
|
@ -326,6 +331,15 @@ int Http2DownstreamConnection::push_request_headers() {
|
||||||
auto upstream = downstream_->get_upstream();
|
auto upstream = downstream_->get_upstream();
|
||||||
auto handler = upstream->get_client_handler();
|
auto handler = upstream->get_client_handler();
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
auto conn = handler->get_connection();
|
||||||
|
|
||||||
|
if (!SSL_is_init_finished(conn->tls.ssl)) {
|
||||||
|
nva.push_back(
|
||||||
|
http2::make_nv_ls_nocopy("nghttpx-0rtt-uniq", conn->tls.ch_hex_md));
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
auto fwd =
|
auto fwd =
|
||||||
fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);
|
fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);
|
||||||
|
|
||||||
|
|
|
@ -535,11 +535,15 @@ int HttpDownstreamConnection::push_request_headers() {
|
||||||
auto &fwdconf = httpconf.forwarded;
|
auto &fwdconf = httpconf.forwarded;
|
||||||
auto &xffconf = httpconf.xff;
|
auto &xffconf = httpconf.xff;
|
||||||
auto &xfpconf = httpconf.xfp;
|
auto &xfpconf = httpconf.xfp;
|
||||||
|
auto &zero_rtt_uniqconf = httpconf.zero_rtt_uniq;
|
||||||
|
|
||||||
uint32_t build_flags =
|
uint32_t build_flags =
|
||||||
(fwdconf.strip_incoming ? http2::HDOP_STRIP_FORWARDED : 0) |
|
(fwdconf.strip_incoming ? http2::HDOP_STRIP_FORWARDED : 0) |
|
||||||
(xffconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_FOR : 0) |
|
(xffconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_FOR : 0) |
|
||||||
(xfpconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_PROTO : 0);
|
(xfpconf.strip_incoming ? http2::HDOP_STRIP_X_FORWARDED_PROTO : 0) |
|
||||||
|
(zero_rtt_uniqconf.strip_incoming
|
||||||
|
? http2::HDOP_STRIP_NGHTTPX_ZERO_RTT_UNIQ
|
||||||
|
: 0);
|
||||||
|
|
||||||
http2::build_http1_headers_from_headers(buf, req.fs.headers(), build_flags);
|
http2::build_http1_headers_from_headers(buf, req.fs.headers(), build_flags);
|
||||||
|
|
||||||
|
@ -580,6 +584,16 @@ int HttpDownstreamConnection::push_request_headers() {
|
||||||
auto upstream = downstream_->get_upstream();
|
auto upstream = downstream_->get_upstream();
|
||||||
auto handler = upstream->get_client_handler();
|
auto handler = upstream->get_client_handler();
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
auto conn = handler->get_connection();
|
||||||
|
|
||||||
|
if (!SSL_is_init_finished(conn->tls.ssl)) {
|
||||||
|
buf->append("Nghttpx-0rtt-uniq: ");
|
||||||
|
buf->append(conn->tls.ch_hex_md);
|
||||||
|
buf->append("\r\n");
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
auto fwd =
|
auto fwd =
|
||||||
fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);
|
fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);
|
||||||
|
|
||||||
|
|
|
@ -108,8 +108,9 @@ void RateLimit::stopw() {
|
||||||
}
|
}
|
||||||
|
|
||||||
void RateLimit::handle_tls_pending_read() {
|
void RateLimit::handle_tls_pending_read() {
|
||||||
if (!conn_ || !conn_->tls.ssl ||
|
if (!conn_ || !conn_->tls.ssl || !conn_->tls.initial_handshake_done ||
|
||||||
(SSL_pending(conn_->tls.ssl) == 0 && conn_->tls.rbuf.rleft() == 0)) {
|
(SSL_pending(conn_->tls.ssl) == 0 && conn_->tls.rbuf.rleft() == 0 &&
|
||||||
|
conn_->tls.earlybuf.rleft() == 0)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
110
src/shrpx_tls.cc
110
src/shrpx_tls.cc
|
@ -510,6 +510,13 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,
|
||||||
|
|
||||||
namespace {
|
namespace {
|
||||||
void info_callback(const SSL *ssl, int where, int ret) {
|
void info_callback(const SSL *ssl, int where, int ret) {
|
||||||
|
#ifdef TLS1_3_VERSION
|
||||||
|
// TLSv1.3 has no renegotiation.
|
||||||
|
if (SSL_version(ssl) == TLS1_3_VERSION) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
#endif // TLS1_3_VERSION
|
||||||
|
|
||||||
// To mitigate possible DOS attack using lots of renegotiations, we
|
// To mitigate possible DOS attack using lots of renegotiations, we
|
||||||
// disable renegotiation. Since OpenSSL does not provide an easy way
|
// disable renegotiation. Since OpenSSL does not provide an easy way
|
||||||
// to disable it, we check that renegotiation is started in this
|
// to disable it, we check that renegotiation is started in this
|
||||||
|
@ -527,6 +534,105 @@ void info_callback(const SSL *ssl, int where, int ret) {
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
constexpr auto MEMCACHED_ANTI_REPLY_KEY_PREFIX =
|
||||||
|
StringRef::from_lit("nghttpx:anti-reply:");
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
int early_cb(SSL *ssl, int *al, void *arg) {
|
||||||
|
auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
|
||||||
|
if (conn->tls.early_cb_called) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
conn->tls.early_cb_called = true;
|
||||||
|
|
||||||
|
const unsigned char *ext;
|
||||||
|
size_t extlen;
|
||||||
|
|
||||||
|
if (!SSL_client_hello_get0_ext(conn->tls.ssl, TLSEXT_TYPE_early_data, &ext,
|
||||||
|
&extlen)) {
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "early_data extension does not exist";
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!SSL_client_hello_get0_ext(conn->tls.ssl, TLSEXT_TYPE_psk, &ext,
|
||||||
|
&extlen)) {
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "pre_shared_key extension does not exist";
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::array<uint8_t, 32> md;
|
||||||
|
unsigned int mdlen;
|
||||||
|
if (EVP_DigestFinal_ex(conn->tls.ch_md_ctx, md.data(), &mdlen) == 0) {
|
||||||
|
LOG(ERROR) << "EVP_DigestFinal_ex failed";
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
assert(md.size() == mdlen);
|
||||||
|
|
||||||
|
auto handler = static_cast<ClientHandler *>(conn->data);
|
||||||
|
auto worker = handler->get_worker();
|
||||||
|
auto dispatcher = worker->get_anti_replay_memcached_dispatcher();
|
||||||
|
auto &balloc = handler->get_block_allocator();
|
||||||
|
|
||||||
|
auto &tlsconf = get_config()->tls;
|
||||||
|
|
||||||
|
conn->tls.ch_hex_md =
|
||||||
|
util::format_hex(balloc, StringRef{std::begin(md), std::end(md)});
|
||||||
|
|
||||||
|
if (tlsconf.anti_replay.memcached.host.empty()) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto req = make_unique<MemcachedRequest>();
|
||||||
|
req->op = MEMCACHED_OP_ADD;
|
||||||
|
req->key = MEMCACHED_ANTI_REPLY_KEY_PREFIX.str();
|
||||||
|
req->key += conn->tls.ch_hex_md;
|
||||||
|
|
||||||
|
// TODO No value at the moment
|
||||||
|
|
||||||
|
// Set the same timeout value for session with the hope that
|
||||||
|
// OpenSSL library invalidates the outdated ticket.
|
||||||
|
req->expiry = tlsconf.session_timeout.count();
|
||||||
|
req->cb = [conn](MemcachedRequest *req, MemcachedResult res) {
|
||||||
|
if (LOG_ENABLED(INFO)) {
|
||||||
|
LOG(INFO) << "Memcached: ClientHello anti-replay registration done. key="
|
||||||
|
<< req->key << ", status_code=" << res.status_code;
|
||||||
|
}
|
||||||
|
|
||||||
|
// We might stop reading, so start it again
|
||||||
|
conn->rlimit.startw();
|
||||||
|
ev_timer_again(conn->loop, &conn->rt);
|
||||||
|
|
||||||
|
conn->wlimit.startw();
|
||||||
|
ev_timer_again(conn->loop, &conn->wt);
|
||||||
|
|
||||||
|
conn->tls.anti_replay_req = nullptr;
|
||||||
|
|
||||||
|
if (res.status_code != 0) {
|
||||||
|
// If we cannot add key/value, just postpone processing 0-RTT
|
||||||
|
// early data until handshake finishes. Note that memcached
|
||||||
|
// atomically adds key/value.
|
||||||
|
conn->tls.postpone_early_data = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
conn->tls.handshake_state = TLS_CONN_NORMAL;
|
||||||
|
};
|
||||||
|
|
||||||
|
conn->tls.handshake_state = TLS_CONN_WAIT_FOR_ANTI_REPLAY;
|
||||||
|
conn->tls.anti_replay_req = req.get();
|
||||||
|
|
||||||
|
dispatcher->add_request(std::move(req));
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} // namespace
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
namespace {
|
namespace {
|
||||||
int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
|
int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
|
||||||
|
@ -913,6 +1019,10 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
#endif // OPENSSL_IS_BORINGSSL
|
#endif // OPENSSL_IS_BORINGSSL
|
||||||
SSL_CTX_set_info_callback(ssl_ctx, info_callback);
|
SSL_CTX_set_info_callback(ssl_ctx, info_callback);
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
SSL_CTX_set_client_hello_cb(ssl_ctx, early_cb, nullptr);
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
#ifdef OPENSSL_IS_BORINGSSL
|
#ifdef OPENSSL_IS_BORINGSSL
|
||||||
SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
|
SSL_CTX_set_early_data_enabled(ssl_ctx, 1);
|
||||||
#endif // OPENSSL_IS_BORINGSSL
|
#endif // OPENSSL_IS_BORINGSSL
|
||||||
|
|
|
@ -118,6 +118,7 @@ bool match_shared_downstream_addr(
|
||||||
|
|
||||||
Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
||||||
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
||||||
|
SSL_CTX *tls_anti_replay_memcached_ssl_ctx,
|
||||||
tls::CertLookupTree *cert_tree,
|
tls::CertLookupTree *cert_tree,
|
||||||
const std::shared_ptr<TicketKeys> &ticket_keys,
|
const std::shared_ptr<TicketKeys> &ticket_keys,
|
||||||
ConnectionHandler *conn_handler,
|
ConnectionHandler *conn_handler,
|
||||||
|
@ -153,6 +154,15 @@ Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
||||||
StringRef{session_cacheconf.memcached.host}, &mcpool_, randgen_);
|
StringRef{session_cacheconf.memcached.host}, &mcpool_, randgen_);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
auto &anti_replayconf = get_config()->tls.anti_replay;
|
||||||
|
|
||||||
|
if (!anti_replayconf.memcached.host.empty()) {
|
||||||
|
anti_replay_memcached_dispatcher_ = make_unique<MemcachedDispatcher>(
|
||||||
|
&anti_replayconf.memcached.addr, loop,
|
||||||
|
tls_anti_replay_memcached_ssl_ctx, anti_replayconf.memcached.host,
|
||||||
|
&mcpool_, randgen_);
|
||||||
|
}
|
||||||
|
|
||||||
replace_downstream_config(std::move(downstreamconf));
|
replace_downstream_config(std::move(downstreamconf));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -474,6 +484,10 @@ MemcachedDispatcher *Worker::get_session_cache_memcached_dispatcher() {
|
||||||
return session_cache_memcached_dispatcher_.get();
|
return session_cache_memcached_dispatcher_.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
MemcachedDispatcher *Worker::get_anti_replay_memcached_dispatcher() const {
|
||||||
|
return anti_replay_memcached_dispatcher_.get();
|
||||||
|
}
|
||||||
|
|
||||||
std::mt19937 &Worker::get_randgen() { return randgen_; }
|
std::mt19937 &Worker::get_randgen() { return randgen_; }
|
||||||
|
|
||||||
#ifdef HAVE_MRUBY
|
#ifdef HAVE_MRUBY
|
||||||
|
|
|
@ -221,6 +221,7 @@ class Worker {
|
||||||
public:
|
public:
|
||||||
Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
|
||||||
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
SSL_CTX *tls_session_cache_memcached_ssl_ctx,
|
||||||
|
SSL_CTX *tls_anti_replay_memcached_ssl_ctx,
|
||||||
tls::CertLookupTree *cert_tree,
|
tls::CertLookupTree *cert_tree,
|
||||||
const std::shared_ptr<TicketKeys> &ticket_keys,
|
const std::shared_ptr<TicketKeys> &ticket_keys,
|
||||||
ConnectionHandler *conn_handler,
|
ConnectionHandler *conn_handler,
|
||||||
|
@ -250,6 +251,7 @@ public:
|
||||||
void schedule_clear_mcpool();
|
void schedule_clear_mcpool();
|
||||||
|
|
||||||
MemcachedDispatcher *get_session_cache_memcached_dispatcher();
|
MemcachedDispatcher *get_session_cache_memcached_dispatcher();
|
||||||
|
MemcachedDispatcher *get_anti_replay_memcached_dispatcher() const;
|
||||||
|
|
||||||
std::mt19937 &get_randgen();
|
std::mt19937 &get_randgen();
|
||||||
|
|
||||||
|
@ -289,6 +291,7 @@ private:
|
||||||
|
|
||||||
std::shared_ptr<DownstreamConfig> downstreamconf_;
|
std::shared_ptr<DownstreamConfig> downstreamconf_;
|
||||||
std::unique_ptr<MemcachedDispatcher> session_cache_memcached_dispatcher_;
|
std::unique_ptr<MemcachedDispatcher> session_cache_memcached_dispatcher_;
|
||||||
|
std::unique_ptr<MemcachedDispatcher> anti_replay_memcached_dispatcher_;
|
||||||
#ifdef HAVE_MRUBY
|
#ifdef HAVE_MRUBY
|
||||||
std::unique_ptr<mruby::MRubyContext> mruby_ctx_;
|
std::unique_ptr<mruby::MRubyContext> mruby_ctx_;
|
||||||
#endif // HAVE_MRUBY
|
#endif // HAVE_MRUBY
|
||||||
|
|
Loading…
Reference in New Issue