iv-org-mirror/litespeed-quic
1
0
Fork 0
mirror of https://gitea.invidious.io/iv-org/litespeed-quic.git synced 2024-08-15 00:53:43 +00:00
Code Issues Projects Releases Packages Wiki Activity

Release 2.27.0

Browse source 
- [API] Remove keylog callbacks.  See issue #188.
- Add a bit more ALPN logging.
This commit is contained in:
Dmitri Tikhonov 2020-12-31 07:58:48 -05:00
parent 292abba1f8
commit 6511378725
10 changed files with 120 additions and 177 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGELOG
View file

@ -1,3 +1,8 @@
2020-12-31
- 2.27.0
- [API] Remove keylog callbacks. See issue #188.
- Add a bit more ALPN logging.
2020-12-23
- 2.26.2
- [BUGFIX] Do not drop incoming data when STOP_SENDING is received.

109
bin/prog.c
View file

@ -38,8 +38,10 @@
#include "prog.h"
static int prog_stopped;
static const char *s_keylog_dir;
static SSL_CTX * get_ssl_ctx (void *, const struct sockaddr *);
static void keylog_log_line (const SSL *, const char *);
static const struct lsquic_packout_mem_if pmi = {
.pmi_allocate = pba_allocate,
@ -81,7 +83,7 @@ prog_init (struct prog *prog, unsigned flags,
= prog;
prog->prog_api.ea_pmi = &pmi;
prog->prog_api.ea_pmi_ctx = &prog->prog_pba;
prog->prog_api.ea_get_ssl_ctx = flags & LSENG_SERVER ? get_ssl_ctx : NULL;
prog->prog_api.ea_get_ssl_ctx = get_ssl_ctx;
#if LSQUIC_PREFERRED_ADDR
if (getenv("LSQUIC_PREFERRED_ADDR4") || getenv("LSQUIC_PREFERRED_ADDR6"))
prog->prog_flags |= PROG_SEARCH_ADDRS;
@ -356,7 +358,7 @@ prog_set_opt (struct prog *prog, int opt, const char *arg)
return -1;
}
}
prog->prog_keylog_dir = optarg;
s_keylog_dir = optarg;
if (prog->prog_settings.es_ql_bits)
{
LSQ_NOTICE("QL loss bits turned off because of -G. If you want "
@ -425,29 +427,41 @@ get_ssl_ctx (void *peer_ctx, const struct sockaddr *unused)
static int
prog_init_server (struct prog *prog)
prog_init_ssl_ctx (struct prog *prog)
{
struct service_port *sport;
unsigned char ticket_keys[48];
prog->prog_ssl_ctx = SSL_CTX_new(TLS_method());
if (prog->prog_ssl_ctx)
if (!prog->prog_ssl_ctx)
{
SSL_CTX_set_min_proto_version(prog->prog_ssl_ctx, TLS1_3_VERSION);
SSL_CTX_set_max_proto_version(prog->prog_ssl_ctx, TLS1_3_VERSION);
SSL_CTX_set_default_verify_paths(prog->prog_ssl_ctx);
/* This is obviously test code: the key is just an array of NUL bytes */
memset(ticket_keys, 0, sizeof(ticket_keys));
if (1 != SSL_CTX_set_tlsext_ticket_keys(prog->prog_ssl_ctx,
ticket_keys, sizeof(ticket_keys)))
{
LSQ_ERROR("SSL_CTX_set_tlsext_ticket_keys failed");
return -1;
}
LSQ_ERROR("cannot allocate SSL context");
return -1;
}
else
LSQ_WARN("cannot create SSL context");
SSL_CTX_set_min_proto_version(prog->prog_ssl_ctx, TLS1_3_VERSION);
SSL_CTX_set_max_proto_version(prog->prog_ssl_ctx, TLS1_3_VERSION);
SSL_CTX_set_default_verify_paths(prog->prog_ssl_ctx);
/* This is obviously test code: the key is just an array of NUL bytes */
memset(ticket_keys, 0, sizeof(ticket_keys));
if (1 != SSL_CTX_set_tlsext_ticket_keys(prog->prog_ssl_ctx,
ticket_keys, sizeof(ticket_keys)))
{
LSQ_ERROR("SSL_CTX_set_tlsext_ticket_keys failed");
return -1;
}
if (s_keylog_dir)
SSL_CTX_set_keylog_callback(prog->prog_ssl_ctx, keylog_log_line);
return 0;
}
static int
prog_init_server (struct prog *prog)
{
struct service_port *sport;
TAILQ_FOREACH(sport, prog->prog_sports, next_sport)
if (0 != sport_init_server(sport, prog->prog_engine, prog->prog_eb))
@ -582,55 +596,46 @@ prog_stop (struct prog *prog)
static void *
keylog_open (void *ctx, lsquic_conn_t *conn)
keylog_open_file (const SSL *ssl)
{
const struct prog *const prog = ctx;
const lsquic_conn_t *conn;
const lsquic_cid_t *cid;
FILE *fh;
int sz;
char id_str[MAX_CID_LEN * 2 + 1];
char path[PATH_MAX];
conn = lsquic_ssl_to_conn(ssl);
cid = lsquic_conn_id(conn);
lsquic_hexstr(cid->idbuf, cid->len, id_str, sizeof(id_str));
sz = snprintf(path, sizeof(path), "%s/%s.keys", prog->prog_keylog_dir,
id_str);
sz = snprintf(path, sizeof(path), "%s/%s.keys", s_keylog_dir, id_str);
if ((size_t) sz >= sizeof(path))
{
LSQ_WARN("%s: file too long", __func__);
return NULL;
}
fh = fopen(path, "w");
fh = fopen(path, "ab");
if (!fh)
LSQ_WARN("could not open %s for writing: %s", path, strerror(errno));
LSQ_WARN("could not open %s for appending: %s", path, strerror(errno));
return fh;
}
static void
keylog_log_line (void *handle, const char *line)
keylog_log_line (const SSL *ssl, const char *line)
{
fputs(line, handle);
fputs("\n", handle);
fflush(handle);
FILE *file;
file = keylog_open_file(ssl);
if (file)
{
fputs(line, file);
fputs("\n", file);
fclose(file);
}
}
static void
keylog_close (void *handle)
{
fclose(handle);
}
static const struct lsquic_keylog_if keylog_if =
{
.kli_open = keylog_open,
.kli_log_line = keylog_log_line,
.kli_close = keylog_close,
};
static struct ssl_ctx_st *
no_cert (void *cert_lu_ctx, const struct sockaddr *sa_UNUSED, const char *sni)
{
@ -644,10 +649,17 @@ prog_prep (struct prog *prog)
int s;
char err_buf[100];
if (prog->prog_keylog_dir)
if (s_keylog_dir && prog->prog_certs)
{
prog->prog_api.ea_keylog_if = &keylog_if;
prog->prog_api.ea_keylog_ctx = prog;
struct lsquic_hash_elem *el;
struct server_cert *cert;
for (el = lsquic_hash_first(prog->prog_certs); el;
el = lsquic_hash_next(prog->prog_certs))
{
cert = lsquic_hashelem_getdata(el);
SSL_CTX_set_keylog_callback(cert->ce_ssl_ctx, keylog_log_line);
}
}
if (0 != lsquic_engine_check_settings(prog->prog_api.ea_settings,
@ -696,6 +708,9 @@ prog_prep (struct prog *prog)
prog->prog_timer = event_new(prog->prog_eb, -1, 0,
prog_timer_handler, prog);
if (0 != prog_init_ssl_ctx(prog))
return -1;
if (prog->prog_engine_flags & LSENG_SERVER)
s = prog_init_server(prog);
else

1
bin/prog.h
View file

@ -45,7 +45,6 @@ struct prog
struct lsquic_engine *prog_engine;
const char *prog_hostname;
int prog_ipver; /* 0, 4, or 6 */
const char *prog_keylog_dir;
enum {
PROG_FLAG_COOLDOWN = 1 << 0,
#if LSQUIC_PREFERRED_ADDR

20
docs/apiref.rst
View file

@ -1981,6 +1981,10 @@ Miscellaneous Stream Functions
Other Functions
---------------
.. function:: lsquic_conn_t lsquic_ssl_to_conn (const SSL *)
Get connection associated with this SSL object.
.. function:: enum lsquic_version lsquic_str2ver (const char *str, size_t len)
Translate string QUIC version to LSQUIC QUIC version representation.
@ -2103,22 +2107,6 @@ Miscellaneous Types
Number of elements in the peer context pointer and connection ID arrays.
.. type:: struct lsquic_keylog_if
SSL keylog interface.
.. member:: void * (*kli_open) (void *keylog_ctx, lsquic_conn_t *conn)
Return keylog handle or NULL if no key logging is desired.
.. member:: void (*kli_log_line) (void *handle, const char *line)
Log line. The first argument is the pointer returned by ``kli_open()``.
.. member:: void (*kli_close) (void *handle)
Close handle.
.. type:: enum lsquic_logger_timestamp_style
Enumerate timestamp styles supported by LSQUIC logger mechanism.

4
docs/conf.py
View file

@ -24,9 +24,9 @@ copyright = u'2020, LiteSpeed Technologies'
author = u'LiteSpeed Technologies'
# The short X.Y version
version = u'2.26'
version = u'2.27'
# The full version, including alpha/beta/rc tags
release = u'2.26.2'
release = u'2.27.0'
# -- General configuration ---------------------------------------------------

57
docs/tutorial.rst
View file

@ -1078,28 +1078,9 @@ Key logging and Wireshark
`Wireshark`_ supports IETF QUIC. The developers have been very good at keeping up with latest versions.
You will need version 3.3 of Wireshark to support Internet-Draft 29. Support for HTTP/3 is in progress.
LSQUIC supports exporting TLS secrets. For that, you need to specify a set of function pointers via
:member:`lsquic_engine_api.ea_keylog_if`.
::
/* Secrets are logged per connection. Interface to open file (handle),
* log lines, and close file.
*/
struct lsquic_keylog_if {
void * (*kli_open) (void *keylog_ctx, lsquic_conn_t *);
void (*kli_log_line) (void *handle, const char *line);
void (*kli_close) (void *handle);
};
struct lsquic_engine_api {
/* --- 8< --- snip --- 8< --- */
const struct lsquic_keylog_if *ea_keylog_if;
void *ea_keylog_ctx;
};
There are three functions: one to open a file, one to write a line into the file, and one to close the file. The lines are not interpreted.
In the engine API struct, there are two members to set: one is the pointer to the struct with the function pointers, and the other is the context passed to "kli_open" function.
To export TLS secrets, use BoringSSL's ``SSL_CTX_set_keylog_callback()``.
Use `lsquic_ssl_to_conn()` to get the connection associated
with the SSL object.
Key logging example
-------------------
@ -1107,8 +1088,9 @@ Key logging example
::
static void *
keylog_open (void *ctx, lsquic_conn_t *conn)
keylog_open_file (const SSL *ssl)
{
const lsquic_conn_t *conn;
const lsquic_cid_t *cid;
FILE *fh;
int sz;
@ -1117,6 +1099,7 @@ Key logging example
char path[PATH_MAX];
static const char b2c[16] = "0123456789ABCDEF";
conn = lsquic_ssl_to_conn(ssl);
cid = lsquic_conn_id(conn);
for (i = 0; i < cid->len; ++i)
{
@ -1130,28 +1113,30 @@ Key logging example
LOG("WARN: %s: file too long", __func__);
return NULL;
}
fh = fopen(path, "wb");
fh = fopen(path, "ab");
if (!fh)
LOG("WARN: could not open %s for writing: %s", path, strerror(errno));
LOG("WARN: could not open %s for appending: %s", path, strerror(errno));
return fh;
}
static void
keylog_log_line (void *handle, const char *line)
keylog_log_line (const SSL *ssl, const char *line)
{
fputs(line, handle);
fputs("\n", handle);
fflush(handle);
file = keylog_open_file(ssl);
if (file)
{
fputs(line, file);
fputs("\n", file);
fclose(file);
}
}
static void
keylog_close (void *handle)
{
fclose(handle);
}
/* ... */
The function to open the file is passed the connection object. It can be used to generate a filename
based on the connection ID.
SSL_CTX_set_keylog_callback(ssl, keylog_log_line);
The most involved part of this is opening the necessary file, creating it if necessary.
The connection can be used to generate a filename based on the connection ID.
We see that the line logger simply writes the passed C string to the filehandle and appends a newline.
Wireshark screenshot

34
include/lsquic.h
View file

@ -24,8 +24,8 @@ extern "C" {
#endif
#define LSQUIC_MAJOR_VERSION 2
#define LSQUIC_MINOR_VERSION 26
#define LSQUIC_PATCH_VERSION 2
#define LSQUIC_MINOR_VERSION 27
#define LSQUIC_PATCH_VERSION 0
/**
* Engine flags:
@ -1237,26 +1237,6 @@ struct lsquic_hset_if
enum lsquic_hsi_flag hsi_flags;
};
/**
* SSL keylog interface.
*/
struct lsquic_keylog_if
{
/** Return keylog handle or NULL if no key logging is desired */
void * (*kli_open) (void *keylog_ctx, lsquic_conn_t *);
/**
* Log line. The first argument is the pointer returned by
* @ref kli_open.
*/
void (*kli_log_line) (void *handle, const char *line);
/**
* Close handle.
*/
void (*kli_close) (void *handle);
};
/**
* This struct contains a list of all callbacks that are used by the engine
* to communicate with the user code. Most of these are optional, while
@ -1333,12 +1313,6 @@ struct lsquic_engine_api
void /* FILE, really */ *ea_stats_fh;
#endif
/**
* Optional SSL key logging interface.
*/
const struct lsquic_keylog_if *ea_keylog_if;
void *ea_keylog_ctx;
/**
* The optional ALPN string is used by the client if @ref LSENG_HTTP
* is not set.
@ -2068,6 +2042,10 @@ lsquic_conn_status (lsquic_conn_t *, char *errbuf, size_t bufsz);
extern const char *const
lsquic_ver2str[N_LSQVER];
/* Return connection associated with this SSL object */
lsquic_conn_t *
lsquic_ssl_to_conn (const struct ssl_st *);
#ifdef __cplusplus
}
#endif

63
src/liblsquic/lsquic_enc_sess_ietf.c
View file

@ -109,15 +109,9 @@ no_sess_ticket (enum alarm_id alarm_id, void *ctx,
static int
iquic_new_session_cb (SSL *, SSL_SESSION *);
static void
keylog_callback (const SSL *, const char *);
static enum ssl_verify_result_t
verify_server_cert_callback (SSL *, uint8_t *out_alert);
static void
maybe_setup_key_logging (struct enc_sess_iquic *);
static void
iquic_esfi_destroy (enc_session_t *);
@ -260,7 +254,6 @@ struct enc_sess_iquic
} esi_flags;
enum enc_level esi_last_w;
unsigned esi_trasec_sz;
void *esi_keylog_handle;
#ifndef NDEBUG
char *esi_sni_bypass;
#endif
@ -886,6 +879,8 @@ iquic_esfi_create_client (const char *hostname,
goto err;
alpn_selected:
enc_sess->esi_alpn = am->alpn;
LSQ_DEBUG("for QUIC version %s, ALPN is %s",
lsquic_ver2str[am->version], (char *) am->alpn + 1);
}
if (enc_sess->esi_enpub->enp_get_ssl_ctx)
@ -916,8 +911,6 @@ iquic_esfi_create_client (const char *hostname,
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT);
if (enc_sess->esi_enpub->enp_stream_if->on_sess_resume_info)
SSL_CTX_sess_set_new_cb(ssl_ctx, iquic_new_session_cb);
if (enc_sess->esi_enpub->enp_kli)
SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback);
if (enc_sess->esi_enpub->enp_verify_cert
|| LSQ_LOG_ENABLED_EXT(LSQ_LOG_DEBUG, LSQLM_EVENT)
|| LSQ_LOG_ENABLED_EXT(LSQ_LOG_DEBUG, LSQLM_QLOG))
@ -954,8 +947,6 @@ iquic_esfi_create_client (const char *hostname,
goto err;
}
maybe_setup_key_logging(enc_sess);
if (enc_sess->esi_alpn &&
0 != SSL_set_alpn_protos(enc_sess->esi_ssl, enc_sess->esi_alpn,
enc_sess->esi_alpn[0] + 1))
@ -1243,31 +1234,6 @@ free_handshake_keys (struct enc_sess_iquic *enc_sess)
}
static void
keylog_callback (const SSL *ssl, const char *line)
{
struct enc_sess_iquic *enc_sess;
enc_sess = SSL_get_ex_data(ssl, s_idx);
if (enc_sess->esi_keylog_handle)
enc_sess->esi_enpub->enp_kli->kli_log_line(
enc_sess->esi_keylog_handle, line);
}
static void
maybe_setup_key_logging (struct enc_sess_iquic *enc_sess)
{
if (enc_sess->esi_enpub->enp_kli)
{
enc_sess->esi_keylog_handle = enc_sess->esi_enpub->enp_kli->kli_open(
enc_sess->esi_enpub->enp_kli_ctx, enc_sess->esi_conn);
LSQ_DEBUG("SSL keys %s be logged",
enc_sess->esi_keylog_handle ? "will" : "will not");
}
}
static enum ssl_verify_result_t
verify_server_cert_callback (SSL *ssl, uint8_t *out_alert)
{
@ -1332,8 +1298,6 @@ iquic_lookup_cert (SSL *ssl, void *arg)
{
LSQ_DEBUG("looked up cert for %s", server_name
? server_name : "<no SNI>");
if (enc_sess->esi_enpub->enp_kli)
SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback);
SSL_set_verify(enc_sess->esi_ssl,
SSL_CTX_get_verify_mode(ssl_ctx), NULL);
SSL_set_verify_depth(enc_sess->esi_ssl,
@ -1398,6 +1362,8 @@ iquic_esfi_init_server (enc_session_t *enc_session_p)
lsquic_ver2str[enc_sess->esi_conn->cn_version]);
return -1;
ok: enc_sess->esi_alpn = am->alpn;
LSQ_DEBUG("for QUIC version %s, ALPN is %s",
lsquic_ver2str[am->version], (char *) am->alpn + 1);
}
path = enc_sess->esi_conn->cn_if->ci_get_path(enc_sess->esi_conn, NULL);
@ -1429,9 +1395,6 @@ iquic_esfi_init_server (enc_session_t *enc_session_p)
LSQ_INFO("could not set early data context");
return -1;
}
maybe_setup_key_logging(enc_sess);
if (!enc_sess->esi_enpub->enp_lookup_cert && enc_sess->esi_keylog_handle)
SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback);
transpa_len = gen_trans_params(enc_sess, u.trans_params,
sizeof(u.trans_params));
@ -1988,8 +1951,6 @@ iquic_esfi_destroy (enc_session_t *enc_session_p)
+ sizeof(enc_sess->esi_frals) / sizeof(enc_sess->esi_frals[0]);
++fral)
lsquic_frab_list_cleanup(fral);
if (enc_sess->esi_keylog_handle)
enc_sess->esi_enpub->enp_kli->kli_close(enc_sess->esi_keylog_handle);
if (enc_sess->esi_ssl)
SSL_free(enc_sess->esi_ssl);
@ -3406,3 +3367,19 @@ lsquic_enc_sess_ietf_gen_quic_ctx (
errno);
return len;
}
struct lsquic_conn *
lsquic_ssl_to_conn (const struct ssl_st *ssl)
{
struct enc_sess_iquic *enc_sess;
if (s_idx < 0)
return NULL;
enc_sess = SSL_get_ex_data(ssl, s_idx);
if (!enc_sess)
return NULL;
return enc_sess->esi_conn;
}

2
src/liblsquic/lsquic_engine.c
View file

@ -647,8 +647,6 @@ lsquic_engine_new (unsigned flags,
}
engine->pub.enp_verify_cert = api->ea_verify_cert;
engine->pub.enp_verify_ctx = api->ea_verify_ctx;
engine->pub.enp_kli = api->ea_keylog_if;
engine->pub.enp_kli_ctx = api->ea_keylog_ctx;
engine->pub.enp_engine = engine;
if (hash_conns_by_addr(engine))
engine->flags |= ENG_CONNS_BY_ADDR;

2
src/liblsquic/lsquic_engine_public.h
View file

@ -56,8 +56,6 @@ struct lsquic_engine_public {
const struct lsquic_packout_mem_if
*enp_pmi;
void *enp_pmi_ctx;
const struct lsquic_keylog_if *enp_kli;
void *enp_kli_ctx;
struct lsquic_engine *enp_engine;
struct lsquic_hash *enp_srst_hash;
enum {