Skip to content

Tls resume PoC (server stateless) #57079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wfurt merged 15 commits into from
Sep 3, 2021
Merged

Tls resume PoC (server stateless) #57079

Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
5b5dc35
tls resume
wfurt Aug 9, 2021
6bf265c
fix alpn
wfurt Aug 9, 2021
b6b40d7
fix build with old openssl
wfurt Aug 9, 2021
9c99a25
remove handling of empty ALPN
wfurt Aug 10, 2021
30e8271
more OpenSSL1.0 fixes
wfurt Aug 10, 2021
8cb81fb
fix android
wfurt Aug 10, 2021
e6460bb
Merge branch 'main' of https://github.com/dotnet/runtime into tlsResu…
wfurt Aug 16, 2021
179edc8
feedback from review
wfurt Aug 16, 2021
55a1770
dispose innerContext if we don't cache
wfurt Aug 16, 2021
9aed0c8
disable TLS resume with CipherSuitePolicy
wfurt Aug 16, 2021
06dc955
partial feedback from review
wfurt Aug 26, 2021
fc5031e
Merge branch 'main' of https://github.com/dotnet/runtime into tlsResu…
wfurt Aug 26, 2021
3b21da7
fix build
wfurt Aug 26, 2021
df51d00
feedback from review
wfurt Aug 26, 2021
47f3742
refactor protocol selection to helper function
wfurt Aug 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feedback from review
  • Loading branch information
@wfurt
wfurt committed Aug 26, 2021
commit df51d00e59c24f224369477cee9b07468a42cd9d
99 changes: 46 additions & 53 deletions src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,8 @@ internal static SafeSslHandle AllocateSslHandle(SafeFreeSslCredentials credentia
SafeSslContextHandle? newCtxHandle = null;
SslProtocols protocols = sslAuthenticationOptions.EnabledSslProtocols;
bool cacheSslContext = !DisableTlsResume && sslAuthenticationOptions.EncryptionPolicy == EncryptionPolicy.RequireEncryption &&
sslAuthenticationOptions.CertificateContext != null &&
sslAuthenticationOptions.CertificateContext.SslContexts != null &&
sslAuthenticationOptions.CipherSuitesPolicy == null &&
(!sslAuthenticationOptions.IsServer ||
(sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0));
Expand Down Expand Up @@ -258,88 +260,79 @@ internal static SafeSslHandle AllocateSslHandle(SafeFreeSslCredentials credentia
protocols = SslProtocols.Tls13;
}

if (sslAuthenticationOptions.CertificateContext != null && cacheSslContext)
if (cacheSslContext)
{
sslAuthenticationOptions.CertificateContext.SslContexts.TryGetValue(sslAuthenticationOptions.EnabledSslProtocols, out sslCtxHandle);
sslAuthenticationOptions.CertificateContext!.SslContexts!.TryGetValue(sslAuthenticationOptions.EnabledSslProtocols, out sslCtxHandle);
}

if (sslCtxHandle == null)
{
// We did not get SslContext from cache
sslCtxHandle = newCtxHandle = AllocateSslContext(credential, sslAuthenticationOptions);

if (cacheSslContext && sslAuthenticationOptions.CertificateContext!.SslContexts!.TryAdd(sslAuthenticationOptions.EnabledSslProtocols, newCtxHandle))
{
newCtxHandle = null;
}
}

GCHandle alpnHandle = default;
try
{
GCHandle alpnHandle = default;
try
sslHandle = SafeSslHandle.Create(sslCtxHandle, sslAuthenticationOptions.IsServer);
Debug.Assert(sslHandle != null, "Expected non-null return value from SafeSslHandle.Create");
if (sslHandle.IsInvalid)
{
sslHandle = SafeSslHandle.Create(sslCtxHandle, sslAuthenticationOptions.IsServer);
Debug.Assert(sslHandle != null, "Expected non-null return value from SafeSslHandle.Create");
if (sslHandle.IsInvalid)
{
sslHandle.Dispose();
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}

if (sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0)
{
if (sslAuthenticationOptions.IsServer)
{
alpnHandle = GCHandle.Alloc(sslAuthenticationOptions.ApplicationProtocols);
Interop.Ssl.SslSetData(sslHandle, GCHandle.ToIntPtr(alpnHandle));
sslHandle.AlpnHandle = alpnHandle;
}
else
{
if (Interop.Ssl.SslSetAlpnProtos(sslHandle, sslAuthenticationOptions.ApplicationProtocols) != 0)
{
throw CreateSslException(SR.net_alpn_config_failed);
}
}
}
sslHandle.Dispose();
throw CreateSslException(SR.net_allocate_ssl_context_failed);
}

if (!sslAuthenticationOptions.IsServer)
if (sslAuthenticationOptions.ApplicationProtocols != null && sslAuthenticationOptions.ApplicationProtocols.Count != 0)
{
if (sslAuthenticationOptions.IsServer)
{
// The IdnMapping converts unicode input into the IDNA punycode sequence.
string punyCode = string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ? string.Empty : s_idnMapping.GetAscii(sslAuthenticationOptions.TargetHost!);

// Similar to windows behavior, set SNI on openssl by default for client context, ignore errors.
if (!Ssl.SslSetTlsExtHostName(sslHandle, punyCode))
{
Crypto.ErrClearError();
}
alpnHandle = GCHandle.Alloc(sslAuthenticationOptions.ApplicationProtocols);
Interop.Ssl.SslSetData(sslHandle, GCHandle.ToIntPtr(alpnHandle));
sslHandle.AlpnHandle = alpnHandle;
}

if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.RemoteCertRequired)
else
{
unsafe
if (Interop.Ssl.SslSetAlpnProtos(sslHandle, sslAuthenticationOptions.ApplicationProtocols) != 0)
{
Ssl.SslSetVerifyPeer(sslHandle);
throw CreateSslException(SR.net_alpn_config_failed);
}
}
}
catch

if (!sslAuthenticationOptions.IsServer)
{
if (alpnHandle.IsAllocated)
// The IdnMapping converts unicode input into the IDNA punycode sequence.
string punyCode = string.IsNullOrEmpty(sslAuthenticationOptions.TargetHost) ? string.Empty : s_idnMapping.GetAscii(sslAuthenticationOptions.TargetHost!);

// Similar to windows behavior, set SNI on openssl by default for client context, ignore errors.
if (!Ssl.SslSetTlsExtHostName(sslHandle, punyCode))
{
alpnHandle.Free();
Crypto.ErrClearError();
}
}

throw;
if (sslAuthenticationOptions.IsServer && sslAuthenticationOptions.RemoteCertRequired)
{
Ssl.SslSetVerifyPeer(sslHandle);
}
}
finally
catch
{
if (newCtxHandle != null)
if (alpnHandle.IsAllocated)
{
// We allocated new context and we want to cache
if (!cacheSslContext || sslAuthenticationOptions.CertificateContext?.SslContexts == null ||
!sslAuthenticationOptions.CertificateContext.SslContexts.TryAdd(sslAuthenticationOptions.EnabledSslProtocols, newCtxHandle))
{
newCtxHandle.Dispose();
}
alpnHandle.Free();
}

throw;
}
finally
{
newCtxHandle?.Dispose();
}

return sslHandle;
Expand Down