protocol-quic 0.0.0

data/ext/ngtcp2/examples/tls_client_session_boringssl.cc

@@ -0,0 +1,110 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2021 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "tls_client_session_boringssl.h"
+
+#include <cassert>
+#include <iostream>
+
+#include "tls_client_context_boringssl.h"
+#include "client_base.h"
+#include "template.h"
+#include "util.h"
+
+TLSClientSession::TLSClientSession() {}
+
+TLSClientSession::~TLSClientSession() {}
+
+extern Config config;
+
+int TLSClientSession::init(bool &early_data_enabled,
+                           const TLSClientContext &tls_ctx,
+                           const char *remote_addr, ClientBase *client,
+                           uint32_t quic_version, AppProtocol app_proto) {
+  early_data_enabled = false;
+
+  auto ssl_ctx = tls_ctx.get_native_handle();
+
+  ssl_ = SSL_new(ssl_ctx);
+  if (!ssl_) {
+    std::cerr << "SSL_new: " << ERR_error_string(ERR_get_error(), nullptr)
+              << std::endl;
+    return -1;
+  }
+
+  SSL_set_app_data(ssl_, client->conn_ref());
+  SSL_set_connect_state(ssl_);
+
+  SSL_set_quic_use_legacy_codepoint(ssl_,
+                                    (quic_version & 0xff000000) == 0xff000000);
+
+  switch (app_proto) {
+  case AppProtocol::H3:
+    SSL_set_alpn_protos(ssl_, H3_ALPN, str_size(H3_ALPN));
+    break;
+  case AppProtocol::HQ:
+    SSL_set_alpn_protos(ssl_, HQ_ALPN, str_size(HQ_ALPN));
+    break;
+  }
+
+  if (!config.sni.empty()) {
+    SSL_set_tlsext_host_name(ssl_, config.sni.data());
+  } else if (util::numeric_host(remote_addr)) {
+    // If remote host is numeric address, just send "localhost" as SNI
+    // for now.
+    SSL_set_tlsext_host_name(ssl_, "localhost");
+  } else {
+    SSL_set_tlsext_host_name(ssl_, remote_addr);
+  }
+
+  if (config.session_file) {
+    auto f = BIO_new_file(config.session_file, "r");
+    if (f == nullptr) {
+      std::cerr << "Could not read TLS session file " << config.session_file
+                << std::endl;
+    } else {
+      auto session = PEM_read_bio_SSL_SESSION(f, nullptr, 0, nullptr);
+      BIO_free(f);
+      if (session == nullptr) {
+        std::cerr << "Could not read TLS session file " << config.session_file
+                  << std::endl;
+      } else {
+        if (!SSL_set_session(ssl_, session)) {
+          std::cerr << "Could not set session" << std::endl;
+        } else if (!config.disable_early_data &&
+                   SSL_SESSION_early_data_capable(session)) {
+          early_data_enabled = true;
+          SSL_set_early_data_enabled(ssl_, 1);
+        }
+        SSL_SESSION_free(session);
+      }
+    }
+  }
+
+  return 0;
+}
+
+bool TLSClientSession::get_early_data_accepted() const {
+  return SSL_early_data_accepted(ssl_);
+}

data/ext/ngtcp2/examples/tls_client_session_boringssl.h

@@ -0,0 +1,52 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2021 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef TLS_CLIENT_SESSION_BORINGSSL_H
+#define TLS_CLIENT_SESSION_BORINGSSL_H
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif // HAVE_CONFIG_H
+
+#include "tls_session_base_openssl.h"
+#include "shared.h"
+
+using namespace ngtcp2;
+
+class TLSClientContext;
+class ClientBase;
+
+class TLSClientSession : public TLSSessionBase {
+public:
+  TLSClientSession();
+  ~TLSClientSession();
+
+  int init(bool &early_data_enabled, const TLSClientContext &tls_ctx,
+           const char *remote_addr, ClientBase *client, uint32_t quic_version,
+           AppProtocol app_proto);
+
+  bool get_early_data_accepted() const;
+};
+
+#endif // TLS_CLIENT_SESSION_BORINGSSL_H

data/ext/ngtcp2/examples/tls_client_session_gnutls.cc

@@ -0,0 +1,190 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "tls_client_session_gnutls.h"
+
+#include <iostream>
+#include <fstream>
+#include <array>
+
+#include <ngtcp2/ngtcp2_crypto_gnutls.h>
+
+#include <gnutls/crypto.h>
+
+#include "tls_client_context_gnutls.h"
+#include "client_base.h"
+#include "template.h"
+#include "util.h"
+
+// Based on https://github.com/ueno/ngtcp2-gnutls-examples
+
+extern Config config;
+
+TLSClientSession::TLSClientSession() {}
+
+TLSClientSession::~TLSClientSession() {}
+
+namespace {
+int hook_func(gnutls_session_t session, unsigned int htype, unsigned when,
+              unsigned int incoming, const gnutls_datum_t *msg) {
+  if (config.session_file && htype == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET) {
+    gnutls_datum_t data;
+    if (auto rv = gnutls_session_get_data2(session, &data); rv != 0) {
+      std::cerr << "gnutls_session_get_data2 failed: " << gnutls_strerror(rv)
+                << std::endl;
+      return rv;
+    }
+    auto f = std::ofstream(config.session_file);
+    if (!f) {
+      return -1;
+    }
+
+    gnutls_datum_t d;
+    if (auto rv =
+            gnutls_pem_base64_encode2("GNUTLS SESSION PARAMETERS", &data, &d);
+        rv < 0) {
+      std::cerr << "Could not encode session in " << config.session_file
+                << std::endl;
+      return -1;
+    }
+
+    f.write(reinterpret_cast<const char *>(d.data), d.size);
+    if (!f) {
+      std::cerr << "Unable to write TLS session to file" << std::endl;
+    }
+    gnutls_free(d.data);
+    gnutls_free(data.data);
+  }
+
+  return 0;
+}
+} // namespace
+
+int TLSClientSession::init(bool &early_data_enabled,
+                           const TLSClientContext &tls_ctx,
+                           const char *remote_addr, ClientBase *client,
+                           uint32_t quic_version, AppProtocol app_proto) {
+  early_data_enabled = false;
+
+  if (auto rv =
+          gnutls_init(&session_, GNUTLS_CLIENT | GNUTLS_ENABLE_EARLY_DATA |
+                                     GNUTLS_NO_END_OF_EARLY_DATA);
+      rv != 0) {
+    std::cerr << "gnutls_init failed: " << gnutls_strerror(rv) << std::endl;
+    return -1;
+  }
+
+  std::string priority = "%DISABLE_TLS13_COMPAT_MODE:";
+  priority += config.ciphers;
+  priority += ':';
+  priority += config.groups;
+
+  if (auto rv = gnutls_priority_set_direct(session_, priority.c_str(), nullptr);
+      rv != 0) {
+    std::cerr << "gnutls_priority_set_direct failed: " << gnutls_strerror(rv)
+              << std::endl;
+    return -1;
+  }
+
+  gnutls_handshake_set_hook_function(session_, GNUTLS_HANDSHAKE_ANY,
+                                     GNUTLS_HOOK_POST, hook_func);
+
+  if (ngtcp2_crypto_gnutls_configure_client_session(session_) != 0) {
+    std::cerr << "ngtcp2_crypto_gnutls_configure_client_session failed"
+              << std::endl;
+    return -1;
+  }
+
+  if (config.session_file) {
+    auto f = std::ifstream(config.session_file);
+    if (f) {
+      f.seekg(0, std::ios::end);
+      auto pos = f.tellg();
+      std::vector<char> content(pos);
+      f.seekg(0, std::ios::beg);
+      f.read(content.data(), pos);
+
+      gnutls_datum_t s{
+          .data = reinterpret_cast<unsigned char *>(content.data()),
+          .size = static_cast<unsigned int>(content.size()),
+      };
+
+      gnutls_datum_t d;
+      if (auto rv =
+              gnutls_pem_base64_decode2("GNUTLS SESSION PARAMETERS", &s, &d);
+          rv < 0) {
+        std::cerr << "Could not read session in " << config.session_file
+                  << std::endl;
+        return -1;
+      }
+
+      auto d_d = defer(gnutls_free, d.data);
+
+      if (auto rv = gnutls_session_set_data(session_, d.data, d.size);
+          rv != 0) {
+        std::cerr << "gnutls_session_set_data failed: " << gnutls_strerror(rv)
+                  << std::endl;
+        return -1;
+      }
+
+      if (!config.disable_early_data) {
+        early_data_enabled = true;
+      }
+    }
+  }
+
+  gnutls_session_set_ptr(session_, client->conn_ref());
+
+  if (auto rv = gnutls_credentials_set(session_, GNUTLS_CRD_CERTIFICATE,
+                                       tls_ctx.get_native_handle());
+      rv != 0) {
+    std::cerr << "gnutls_credentials_set failed: " << gnutls_strerror(rv)
+              << std::endl;
+    return -1;
+  }
+
+  // strip the first byte from H3_ALPN_V1
+  gnutls_datum_t alpn{
+      .data = const_cast<uint8_t *>(&H3_ALPN_V1[1]),
+      .size = H3_ALPN_V1[0],
+  };
+
+  gnutls_alpn_set_protocols(session_, &alpn, 1, GNUTLS_ALPN_MANDATORY);
+
+  if (util::numeric_host(remote_addr)) {
+    // If remote host is numeric address, just send "localhost" as SNI
+    // for now.
+    gnutls_server_name_set(session_, GNUTLS_NAME_DNS, "localhost",
+                           strlen("localhost"));
+  } else {
+    gnutls_server_name_set(session_, GNUTLS_NAME_DNS, remote_addr,
+                           strlen(remote_addr));
+  }
+
+  return 0;
+}
+
+bool TLSClientSession::get_early_data_accepted() const {
+  return gnutls_session_get_flags(session_) & GNUTLS_SFLAGS_EARLY_DATA;
+}

data/ext/ngtcp2/examples/tls_client_session_gnutls.h

@@ -0,0 +1,52 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef TLS_CLIENT_SESSION_GNUTLS_H
+#define TLS_CLIENT_SESSION_GNUTLS_H
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif // HAVE_CONFIG_H
+
+#include "tls_session_base_gnutls.h"
+#include "shared.h"
+
+using namespace ngtcp2;
+
+class TLSClientContext;
+class ClientBase;
+
+class TLSClientSession : public TLSSessionBase {
+public:
+  TLSClientSession();
+  ~TLSClientSession();
+
+  int init(bool &early_data_enabled, const TLSClientContext &tls_ctx,
+           const char *remote_addr, ClientBase *client, uint32_t quic_version,
+           AppProtocol app_proto);
+
+  bool get_early_data_accepted() const;
+};
+
+#endif // TLS_CLIENT_SESSION_GNUTLS_H

data/ext/ngtcp2/examples/tls_client_session_openssl.cc

@@ -0,0 +1,113 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "tls_client_session_openssl.h"
+
+#include <cassert>
+#include <iostream>
+
+#include <openssl/err.h>
+
+#include "tls_client_context_openssl.h"
+#include "client_base.h"
+#include "template.h"
+#include "util.h"
+
+TLSClientSession::TLSClientSession() {}
+
+TLSClientSession::~TLSClientSession() {}
+
+extern Config config;
+
+int TLSClientSession::init(bool &early_data_enabled,
+                           const TLSClientContext &tls_ctx,
+                           const char *remote_addr, ClientBase *client,
+                           uint32_t quic_version, AppProtocol app_proto) {
+  early_data_enabled = false;
+
+  auto ssl_ctx = tls_ctx.get_native_handle();
+
+  ssl_ = SSL_new(ssl_ctx);
+  if (!ssl_) {
+    std::cerr << "SSL_new: " << ERR_error_string(ERR_get_error(), nullptr)
+              << std::endl;
+    return -1;
+  }
+
+  SSL_set_app_data(ssl_, client->conn_ref());
+  SSL_set_connect_state(ssl_);
+
+  SSL_set_quic_use_legacy_codepoint(ssl_,
+                                    (quic_version & 0xff000000) == 0xff000000);
+
+  switch (app_proto) {
+  case AppProtocol::H3:
+    SSL_set_alpn_protos(ssl_, H3_ALPN, str_size(H3_ALPN));
+    break;
+  case AppProtocol::HQ:
+    SSL_set_alpn_protos(ssl_, HQ_ALPN, str_size(HQ_ALPN));
+    break;
+  }
+
+  if (!config.sni.empty()) {
+    SSL_set_tlsext_host_name(ssl_, config.sni.data());
+  } else if (util::numeric_host(remote_addr)) {
+    // If remote host is numeric address, just send "localhost" as SNI
+    // for now.
+    SSL_set_tlsext_host_name(ssl_, "localhost");
+  } else {
+    SSL_set_tlsext_host_name(ssl_, remote_addr);
+  }
+
+  if (config.session_file) {
+    auto f = BIO_new_file(config.session_file, "r");
+    if (f == nullptr) {
+      std::cerr << "Could not read TLS session file " << config.session_file
+                << std::endl;
+    } else {
+      auto session = PEM_read_bio_SSL_SESSION(f, nullptr, 0, nullptr);
+      BIO_free(f);
+      if (session == nullptr) {
+        std::cerr << "Could not read TLS session file " << config.session_file
+                  << std::endl;
+      } else {
+        if (!SSL_set_session(ssl_, session)) {
+          std::cerr << "Could not set session" << std::endl;
+        } else if (!config.disable_early_data &&
+                   SSL_SESSION_get_max_early_data(session)) {
+          early_data_enabled = true;
+          SSL_set_quic_early_data_enabled(ssl_, 1);
+        }
+        SSL_SESSION_free(session);
+      }
+    }
+  }
+
+  return 0;
+}
+
+bool TLSClientSession::get_early_data_accepted() const {
+  // SSL_get_early_data_status works after handshake completes.
+  return SSL_get_early_data_status(ssl_) == SSL_EARLY_DATA_ACCEPTED;
+}

data/ext/ngtcp2/examples/tls_client_session_openssl.h

@@ -0,0 +1,52 @@
+/*
+ * ngtcp2
+ *
+ * Copyright (c) 2020 ngtcp2 contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+#ifndef TLS_CLIENT_SESSION_OPENSSL_H
+#define TLS_CLIENT_SESSION_OPENSSL_H
+
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif // HAVE_CONFIG_H
+
+#include "tls_session_base_openssl.h"
+#include "shared.h"
+
+using namespace ngtcp2;
+
+class TLSClientContext;
+class ClientBase;
+
+class TLSClientSession : public TLSSessionBase {
+public:
+  TLSClientSession();
+  ~TLSClientSession();
+
+  int init(bool &early_data_enabled, const TLSClientContext &tls_ctx,
+           const char *remote_addr, ClientBase *client, uint32_t quic_version,
+           AppProtocol app_proto);
+
+  bool get_early_data_accepted() const;
+};
+
+#endif // TLS_CLIENT_SESSION_OPENSSL_H