Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -570,6 +570,20 @@ check_symbol_exists(SSL_CTX_get0_implemented_groups "openssl/ssl.h" HAVE_SSL_CTX
check_symbol_exists(SSL_get_group_id "openssl/ssl.h" HAVE_SSL_GET_GROUP_ID)
check_symbol_exists(SSL_get_group_name "openssl/ssl.h" HAVE_SSL_GET_GROUP_NAME)
check_symbol_exists(SSL_group_to_name "openssl/ssl.h" HAVE_SSL_GROUP_TO_NAME)
check_symbol_exists(SSL_get_sigalgs "openssl/ssl.h" HAVE_SSL_GET_SIGALGS)
check_symbol_exists(SSL_get_shared_sigalgs "openssl/ssl.h" HAVE_SSL_GET_SHARED_SIGALGS)
check_symbol_exists(SSL_get0_peer_verify_algorithms "openssl/ssl.h" HAVE_SSL_GET0_PEER_VERIFY_ALGORITHMS)
check_symbol_exists(SSL_get_signature_algorithm_used "openssl/ssl.h" HAVE_SSL_GET_SIGNATURE_ALGORITHM_USED)
check_cxx_source_compiles(
"#include <openssl/ssl.h>
int main() {
SSL *ssl = nullptr;
int digest = 0;
int type = 0;
return SSL_get_signature_nid(ssl, &digest) + SSL_get_signature_type_nid(ssl, &type);
}"
HAVE_SSL_GET_LOCAL_SIGNATURE_NIDS
)
check_symbol_exists(SSL_set_max_early_data "openssl/ssl.h" HAVE_SSL_SET_MAX_EARLY_DATA)
check_symbol_exists(SSL_read_early_data "openssl/ssl.h" HAVE_SSL_READ_EARLY_DATA)
check_symbol_exists(SSL_write_early_data "openssl/ssl.h" HAVE_SSL_WRITE_EARLY_DATA)
Expand Down
12 changes: 12 additions & 0 deletions doc/admin-guide/logging/formatting.en.rst
Original file line number Diff line number Diff line change
Expand Up @@ -691,6 +691,9 @@ SSL / Encryption
.. _cqssv:
.. _cqssc:
.. _cqssu:
.. _cqssg:
.. _cqssig:
.. _cqssin:
.. _cqssa:
.. _cthbr:
.. _cthbt:
Expand Down Expand Up @@ -730,6 +733,15 @@ cqssg Client Request SSL Group used by |TS| to communicate with the client.
This field is only applicable when building |TS| against
OpenSSL 3.2 or later or a version of BoringSSL that
supports querying group names.
cqssig Client Request TLS signature schemes offered by the client, rendered as
dash-separated decimal IANA code points in wire order.
RFC 8701 GREASE values are omitted. This field contains
``-`` when the client does not send the extension or the
TLS library cannot expose it.
cqssin Client Request TLS signature scheme used by |TS| to authenticate the
handshake, rendered as a decimal IANA code point. Resumed
sessions contain ``-`` because they do not create a new
handshake signature.
cqssa Client Request ALPN Protocol ID negotiated with the client.
cthbr Client Request TLS handshake bytes received from the client. This is the
number of bytes read from the client during the TLS
Expand Down
26 changes: 18 additions & 8 deletions include/iocore/net/TLSBasicSupport.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@

#include <string>
#include <string_view>
#include <optional>

#include <openssl/ssl.h>

Expand All @@ -49,6 +50,11 @@ class TLSBasicSupport
const char *get_tls_cipher_suite() const;
const char *get_tls_curve() const;
std::string_view get_tls_group() const;
std::string_view get_tls_offered_signature_algorithms() const;
std::string_view get_tls_negotiated_signature_algorithm() const;
void capture_tls_offered_signature_algorithms();
void capture_tls_offered_signature_algorithms(std::string offered);
void capture_tls_negotiated_signature_algorithm();
ink_hrtime get_tls_handshake_begin_time() const;
ink_hrtime get_tls_handshake_end_time() const;
bool get_tls_handshake_bytes(uint64_t &bytes_in, uint64_t &bytes_out) const;
Expand Down Expand Up @@ -83,9 +89,11 @@ class TLSBasicSupport
protected:
void clear();

virtual SSL *_get_ssl_object() const = 0;
virtual ssl_curve_id _get_tls_curve() const = 0;
virtual std::string_view _get_tls_group() const = 0;
virtual SSL *_get_ssl_object() const = 0;
virtual ssl_curve_id _get_tls_curve() const = 0;
virtual std::string_view _get_tls_group() const = 0;
virtual std::string _get_tls_offered_signature_algorithms() const = 0;
virtual std::string _get_tls_negotiated_signature_algorithm() const = 0;

void _record_tls_handshake_begin_time();
void _record_tls_handshake_end_time();
Expand All @@ -103,9 +111,11 @@ class TLSBasicSupport

X509_STORE_CTX *_cert_to_verify = nullptr;

ink_hrtime _tls_handshake_begin_time = 0;
ink_hrtime _tls_handshake_end_time = 0;
mutable bool _tls_handshake_bytes_measured = false;
mutable uint64_t _tls_handshake_bytes_in = 0;
mutable uint64_t _tls_handshake_bytes_out = 0;
ink_hrtime _tls_handshake_begin_time = 0;
ink_hrtime _tls_handshake_end_time = 0;
mutable bool _tls_handshake_bytes_measured = false;
mutable uint64_t _tls_handshake_bytes_in = 0;
mutable uint64_t _tls_handshake_bytes_out = 0;
mutable std::optional<std::string> _tls_offered_signature_algorithms;
mutable std::optional<std::string> _tls_negotiated_signature_algorithm;
};
31 changes: 31 additions & 0 deletions include/proxy/http/HttpUserAgent.h
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ struct ClientConnectionInfo {
char const *cipher_suite{"-"};
char const *curve{"-"};
std::string security_group{"-"};
std::string offered_signature_algorithms{"-"};
std::string negotiated_signature_algorithm{"-"};

int alpn_id{SessionProtocolNameRegistry::INVALID};

Expand Down Expand Up @@ -101,6 +103,10 @@ class HttpUserAgent

char const *get_client_security_group() const;

char const *get_client_offered_signature_algorithms() const;

char const *get_client_negotiated_signature_algorithm() const;

int get_client_alpn_id() const;

uint64_t get_client_tls_handshake_bytes_rx() const;
Expand Down Expand Up @@ -193,6 +199,19 @@ HttpUserAgent::set_txn(ProxyTransaction *txn, TransactionMilestones &milestones)
m_conn_info.security_group = '-';
}

if (auto offered_signature_algorithms{tbs->get_tls_offered_signature_algorithms()}; !offered_signature_algorithms.empty()) {
m_conn_info.offered_signature_algorithms = offered_signature_algorithms;
} else {
m_conn_info.offered_signature_algorithms = '-';
}

if (auto negotiated_signature_algorithm{tbs->get_tls_negotiated_signature_algorithm()};
!negotiated_signature_algorithm.empty()) {
m_conn_info.negotiated_signature_algorithm = negotiated_signature_algorithm;
} else {
m_conn_info.negotiated_signature_algorithm = '-';
}

if (!m_conn_info.tcp_reused) {
// Copy along the TLS handshake timings
milestones[TS_MILESTONE_TLS_HANDSHAKE_START] = tbs->get_tls_handshake_begin_time();
Expand Down Expand Up @@ -312,6 +331,18 @@ HttpUserAgent::get_client_security_group() const
return m_conn_info.security_group.c_str();
}

inline char const *
HttpUserAgent::get_client_offered_signature_algorithms() const
{
return m_conn_info.offered_signature_algorithms.c_str();
}

inline char const *
HttpUserAgent::get_client_negotiated_signature_algorithm() const
{
return m_conn_info.negotiated_signature_algorithm.c_str();
}

inline int
HttpUserAgent::get_client_alpn_id() const
{
Expand Down
92 changes: 47 additions & 45 deletions include/proxy/logging/LogAccess.h
Original file line number Diff line number Diff line change
Expand Up @@ -134,51 +134,53 @@ class LogAccess
//
// client -> proxy fields
//
int marshal_client_host_ip(char *); // STR
int marshal_host_interface_ip(char *); // STR
int marshal_client_host_ip_verified(char *); // STR
int marshal_client_host_port(char *); // INT
int marshal_remote_host_ip(char *); // STR
int marshal_remote_host_port(char *); // STR
int marshal_client_auth_user_name(char *); // STR
int marshal_client_req_timestamp_sec(char *); // INT
int marshal_client_req_timestamp_ms(char *); // INT
int marshal_client_req_text(char *); // STR
int marshal_client_req_http_method(char *); // STR
int marshal_client_req_url(char *); // STR
int marshal_client_req_url_canon(char *); // STR
int marshal_client_req_unmapped_url_canon(char *); // STR
int marshal_client_req_unmapped_url_path(char *); // STR
int marshal_client_req_unmapped_url_host(char *); // STR
int marshal_client_req_url_path(char *); // STR
int marshal_client_req_url_scheme(char *); // STR
int marshal_client_req_http_version(char *); // INT
int marshal_client_req_protocol_version(char *); // STR
int marshal_server_req_protocol_version(char *); // STR
int marshal_client_req_squid_len(char *); // INT
int marshal_client_req_squid_len_tls(char *); // INT
int marshal_client_req_header_len(char *); // INT
int marshal_client_req_content_len(char *); // INT
int marshal_client_req_tcp_reused(char *); // INT
int marshal_client_req_is_ssl(char *); // INT
int marshal_client_req_ssl_reused(char *); // INT
int marshal_client_ssl_resumption_type(char *); // INT
int marshal_client_req_is_internal(char *); // INT
int marshal_client_req_mptcp_state(char *); // INT
int marshal_client_security_protocol(char *); // STR
int marshal_client_security_cipher_suite(char *); // STR
int marshal_client_security_curve(char *); // STR
int marshal_client_security_group(char *); // STR
int marshal_client_security_alpn(char *); // STR
int marshal_client_finish_status_code(char *); // INT
int marshal_client_req_id(char *); // INT
int marshal_client_req_uuid(char *); // STR
int marshal_client_rx_error_code(char *); // STR
int marshal_client_tx_error_code(char *); // STR
int marshal_client_tls_handshake_bytes_rx(char *); // INT
int marshal_client_tls_handshake_bytes_tx(char *); // INT
int marshal_client_tls_handshake_bytes(char *); // INT
int marshal_client_req_all_header_fields(char *); // STR
int marshal_client_host_ip(char *); // STR
int marshal_host_interface_ip(char *); // STR
int marshal_client_host_ip_verified(char *); // STR
int marshal_client_host_port(char *); // INT
int marshal_remote_host_ip(char *); // STR
int marshal_remote_host_port(char *); // STR
int marshal_client_auth_user_name(char *); // STR
int marshal_client_req_timestamp_sec(char *); // INT
int marshal_client_req_timestamp_ms(char *); // INT
int marshal_client_req_text(char *); // STR
int marshal_client_req_http_method(char *); // STR
int marshal_client_req_url(char *); // STR
int marshal_client_req_url_canon(char *); // STR
int marshal_client_req_unmapped_url_canon(char *); // STR
int marshal_client_req_unmapped_url_path(char *); // STR
int marshal_client_req_unmapped_url_host(char *); // STR
int marshal_client_req_url_path(char *); // STR
int marshal_client_req_url_scheme(char *); // STR
int marshal_client_req_http_version(char *); // INT
int marshal_client_req_protocol_version(char *); // STR
int marshal_server_req_protocol_version(char *); // STR
int marshal_client_req_squid_len(char *); // INT
int marshal_client_req_squid_len_tls(char *); // INT
int marshal_client_req_header_len(char *); // INT
int marshal_client_req_content_len(char *); // INT
int marshal_client_req_tcp_reused(char *); // INT
int marshal_client_req_is_ssl(char *); // INT
int marshal_client_req_ssl_reused(char *); // INT
int marshal_client_ssl_resumption_type(char *); // INT
int marshal_client_req_is_internal(char *); // INT
int marshal_client_req_mptcp_state(char *); // INT
int marshal_client_security_protocol(char *); // STR
int marshal_client_security_cipher_suite(char *); // STR
int marshal_client_security_curve(char *); // STR
int marshal_client_security_group(char *); // STR
int marshal_client_offered_signature_algorithms(char *); // STR
int marshal_client_negotiated_signature_algorithm(char *); // STR
int marshal_client_security_alpn(char *); // STR
int marshal_client_finish_status_code(char *); // INT
int marshal_client_req_id(char *); // INT
int marshal_client_req_uuid(char *); // STR
int marshal_client_rx_error_code(char *); // STR
int marshal_client_tx_error_code(char *); // STR
int marshal_client_tls_handshake_bytes_rx(char *); // INT
int marshal_client_tls_handshake_bytes_tx(char *); // INT
int marshal_client_tls_handshake_bytes(char *); // INT
int marshal_client_req_all_header_fields(char *); // STR

//
// proxy -> client fields
Expand Down
2 changes: 2 additions & 0 deletions include/proxy/logging/TransactionLogData.h
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ class TransactionLogData
const char *get_client_cipher_suite() const;
const char *get_client_curve() const;
const char *get_client_security_group() const;
const char *get_client_offered_signature_algorithms() const;
const char *get_client_negotiated_signature_algorithm() const;
int get_client_alpn_id() const;

// ===== SNI =====
Expand Down
5 changes: 5 additions & 0 deletions include/tscore/ink_config.h.cmake.in
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,11 @@ const int DEFAULT_STACKSIZE = @DEFAULT_STACK_SIZE@;
#cmakedefine01 HAVE_SSL_GET_GROUP_ID
#cmakedefine01 HAVE_SSL_GET_GROUP_NAME
#cmakedefine01 HAVE_SSL_GROUP_TO_NAME
#cmakedefine01 HAVE_SSL_GET_SIGALGS
#cmakedefine01 HAVE_SSL_GET_SHARED_SIGALGS
#cmakedefine01 HAVE_SSL_GET0_PEER_VERIFY_ALGORITHMS
#cmakedefine01 HAVE_SSL_GET_SIGNATURE_ALGORITHM_USED
#cmakedefine01 HAVE_SSL_GET_LOCAL_SIGNATURE_NIDS
#cmakedefine01 HAVE_SSL_ERROR_DESCRIPTION
#cmakedefine01 HAVE_OSSL_PARAM_CONSTRUCT_END
#cmakedefine01 TS_USE_TLS_SET_CIPHERSUITES
Expand Down
1 change: 1 addition & 0 deletions src/iocore/net/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ if(BUILD_TESTING)
NetVCTest.cc
unit_tests/test_ProxyProtocol.cc
unit_tests/test_SSLSNIConfig.cc
unit_tests/test_SSLUtils.cc
unit_tests/test_YamlSNIConfig.cc
unit_tests/unit_test_main.cc
unit_tests/benchmark_TLSCertCompression.cc
Expand Down
2 changes: 2 additions & 0 deletions src/iocore/net/P_QUICNetVConnection.h
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,8 @@ class QUICNetVConnection : public UnixNetVConnection,
SSL *_get_ssl_object() const override;
ssl_curve_id _get_tls_curve() const override;
std::string_view _get_tls_group() const override;
std::string _get_tls_offered_signature_algorithms() const override;
std::string _get_tls_negotiated_signature_algorithm() const override;
int _verify_certificate(X509_STORE_CTX *ctx) override;

// TLSSNISupport
Expand Down
2 changes: 2 additions & 0 deletions src/iocore/net/P_SSLNetVConnection.h
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,8 @@ class SSLNetVConnection : public UnixNetVConnection,
}
ssl_curve_id _get_tls_curve() const override;
std::string_view _get_tls_group() const override;
std::string _get_tls_offered_signature_algorithms() const override;
std::string _get_tls_negotiated_signature_algorithm() const override;
int _verify_certificate(X509_STORE_CTX *ctx) override;

// TLSSessionResumptionSupport
Expand Down
14 changes: 14 additions & 0 deletions src/iocore/net/P_SSLUtils.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

#include "P_SSLCertLookup.h"
#include "iocore/net/SSLTypes.h"
#include "swoc/MemSpan.h"
#include "tscore/Diags.h"

#define OPENSSL_THREAD_DEFINES
Expand All @@ -31,6 +32,7 @@
#endif
#include <openssl/ssl.h>
#include <memory>
#include <string>

class SSLNetVConnection;

Expand All @@ -42,6 +44,18 @@ ssl_curve_id SSLGetCurveNID(SSL *ssl);
/// Return the TLS Group Name associated with the specified SSL connection.
std::string_view SSLGetGroupName(SSL *ssl);

/// Format TLS signature-scheme code points as dash-separated decimal values, excluding GREASE.
std::string SSLFormatSignatureAlgorithms(swoc::MemSpan<uint16_t const> algorithms);

/// Return the peer's offered TLS signature schemes in wire order.
std::string SSLGetOfferedSignatureAlgorithms(SSL *ssl);

/// Return the TLS signature scheme used locally to authenticate the current handshake.
std::string SSLGetNegotiatedSignatureAlgorithm(SSL *ssl);

/// Capture TLS signature information while the TLS library still exposes the selected scheme.
void SSLHandshakeInfoCallback(const SSL *ssl, int where, int ret);

SSL_SESSION *SSLSessionDup(SSL_SESSION *sess);

enum class SSLCertContextType;
Expand Down
6 changes: 3 additions & 3 deletions src/iocore/net/QUICMultiCertConfigLoader.cc
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

#include "P_SSLCertLookup.h"
#include "P_SSLConfig.h"
#include "P_SSLUtils.h"
#include "iocore/net/QUICMultiCertConfigLoader.h"
#include "iocore/net/quic/QUICConfig.h"
#include "mgmt/config/ConfigContextDiags.h"
Expand Down Expand Up @@ -107,10 +108,9 @@ QUICMultiCertConfigLoader::_set_cipher_suites_for_legacy_versions(SSL_CTX * /* c
}

bool
QUICMultiCertConfigLoader::_set_info_callback(SSL_CTX * /* ctx ATS_UNUSED */)
QUICMultiCertConfigLoader::_set_info_callback(SSL_CTX *ctx)
{
// Disabled for now
// TODO Check if we need this for QUIC
SSL_CTX_set_info_callback(ctx, SSLHandshakeInfoCallback);
return true;
}

Expand Down
12 changes: 12 additions & 0 deletions src/iocore/net/QUICNetVConnection.cc
Original file line number Diff line number Diff line change
Expand Up @@ -831,6 +831,18 @@ QUICNetVConnection::_get_tls_group() const
}
}

std::string
QUICNetVConnection::_get_tls_offered_signature_algorithms() const
{
return SSLGetOfferedSignatureAlgorithms(this->_ssl);
}

std::string
QUICNetVConnection::_get_tls_negotiated_signature_algorithm() const
{
return SSLGetNegotiatedSignatureAlgorithm(this->_ssl);
}

int
QUICNetVConnection::_verify_certificate(X509_STORE_CTX * /* ctx ATS_UNUSED */)
{
Expand Down
12 changes: 12 additions & 0 deletions src/iocore/net/SSLNetVConnection.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2186,6 +2186,18 @@ SSLNetVConnection::_get_tls_group() const
}
}

std::string
SSLNetVConnection::_get_tls_offered_signature_algorithms() const
{
return SSLGetOfferedSignatureAlgorithms(ssl);
}

std::string
SSLNetVConnection::_get_tls_negotiated_signature_algorithm() const
{
return SSLGetNegotiatedSignatureAlgorithm(ssl);
}

int
SSLNetVConnection::_verify_certificate(X509_STORE_CTX * /* ctx ATS_UNUSED */)
{
Expand Down
Loading