Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #1146 + some coding style cleanups #1156

Closed
wants to merge 2,605 commits into from
Closed

Fix #1146 + some coding style cleanups #1156

wants to merge 2,605 commits into from

Conversation

krizhanovsky
Copy link
Contributor

Fix #1146: ttls_update_checksum() can be called for chunk of ClientHello,
while we still don't know the cipher suite. So calculate two checksums
in parallel and copy SHA256 contex if necessary when ClientHello
sets xfrm.ciphersuite_info.

The rest of the patch, besides ttls_update_checksum() changes, is
coding style adjustments.

aleksostapenko and others added 30 commits July 14, 2018 14:37
@aleksostapenko
Fix bug in 'http_field_len' verification in case of duplicated headers.
8930102
@aleksostapenko
Changes according review comments (#1033).
e29d8cc
@aleksostapenko
Correct matching of multiple headers in 'match_hdr_raw()' (#1033).
0bfd5ea
@aleksostapenko
Merge pull request #1036 from tempesta-tech/ao-1033
88252a4 
Fix #1033: Change header name format in HTTP tables configuration.
@aleksostapenko
Merge pull request #1039 from tempesta-tech/ao-772
2c88221 
 Fix #772: Change 'keepalive' and 'client_body' timeouts applying.
@krizhanovsky
Fix TLS record headers writting in multi-record data transfers
134d5a6
@krizhanovsky
1. [FIX] Place server certificate in the same page as read file data.
7807f9f 
   The page is used later as skb page fragment in TLS handshake.
2. Cleanups in PEM decoder.
3. Remove DHM routines called only for FS IO (unused).
4. Revert DTLS routines (dirty code) as it's supposed to used them for QUIC.
@krizhanovsky
Small TLS Handshakes FSM fixes
613497c
@aleksostapenko
Fix #535: Block clients which requests have no session cookie.
ac32d62
@aleksostapenko
Fix #900: Change some comments and add unit tests.
bfc5e90
@aleksostapenko
Additional comment added (#900).
1086abb
@krizhanovsky
Cleanups. Completely remove DTLS as QUIC uses TLS 1.3.
eb03fd6
@aleksostapenko
Merge pull request #1051 from tempesta-tech/ao-900
0801674 
Fix #900: Change some comments and add unit tests.
@vankoven
Fix misspells
d147160
@vankoven
gfsm: don't return PASS if at least one fsm waits for more data
34b21b7
@vankoven
restore current fsm state after after calling registered hooks
86676b5
@vankoven
add current gfsm state debug function
b44561d
@krizhanovsky
1. Multiple fixes in TLS handshake FSM;
cecbc99 
2. Make GFSM traverse skb list and call a FSM for each skb. TLS layer
   must collect skbs before decryption to have AEAD tag, so it sends
   list of decrypted skbs to HTTP layer by GFSM call. However, HTTP
   manages skb list on it's own.
3. Make ttls_decrypt() to work with plain buffers as well as fragmented
   skbs;
4. Some cleanups.
@krizhanovsky
Add links to stable release
864c969
@aleksostapenko
Additional changes according review comments (#535).
aef34eb
@aleksostapenko
Changes in config man (#535).
1c80e93
@krizhanovsky
Make irq_fpu_usable() return true for Tempesta softirqs so that
f40fa64 
SIMD crypto algorithms won't be called through cryptd.
Some cleanups.
@vankoven
gfsm: fix incorrect fsm hook call
a6a492c 
tfw_gfsm_switch() can be called multiple times during tfw_gfsm_move()
call. After each tfw_gfsm_switch() call current FSM is switched
to FSM stated in fsm_hooks. Thus FSM(st) actually points on
child FSM state, not parent one.
@aleksostapenko
Place redir mark after authority during redirection (#535).
9ddd07c
@krizhanovsky
Fix review commits, the rest of #1000(#166) in particular
4cdbd9c
@krizhanovsky
TODO comments for #488,#515,#1054
60082f7
@krizhanovsky
Fix reading explicit iv for ClientFinished
2523ee3
@aleksostapenko
Changes according review comments (#535).
5620c94
@aleksostapenko
Fix #1058: Protocol/port persistence support during redirection.
8b37a43
@aleksostapenko
Changes according review comments (#1058).
4bdb0bb
krizhanovsky and others added 19 commits January 10, 2019 17:11
@krizhanovsky
Merge pull request #1143 from tempesta-tech/ak-1037-fixes
ea638cf 
Fix review comments for #1037
@vankoven
Merge pull request #1144 from tempesta-tech/ik-fix-build
99906fe 
Fix build of TLS module
@i-rinat
remove rebase artifacts
5ffb73c 
Various backup file copies were accidentally added to the repo.
@i-rinat
Merge pull request #1148 from tempesta-tech/ri-remove-rebase-artifacts
ded4ad7 
remove rebase artifacts
@i-rinat
recreate Content-Type request header for multipart/form-data requests
b55524e
@i-rinat
Merge pull request #1139 from tempesta-tech/ri-post-hdr-sanitize
4d9662f 
Sanitize Content-Type for multipart/form-data requests
@i-rinat
follow-up changes (see #1139)
754bf18 
* req->vhost is expected to be non-NULL, as it was checked before;
* disallow multiple instances of http_post_validate at topmost level;
* a typo.
@i-rinat
Merge pull request #1154 from tempesta-tech/ri-pr1139-fixups
3ccc7f4 
follow-up changes (see #1139)
@avbelov23
replace void ptr by union
c457b18
@avbelov23
Merge pull request #1150 from tempesta-tech/ab-str
3d6f8d4 
Replace void ptr by union
@vankoven
Remove TFW_HTTP_SUSPECTED flag
47e3788 
Instead of distinct flag, TFW_HTTP_CONN_CLOSE flags is set
to close client connection. The reason for a change
is message adjusting on forwarding. The 'Connection: ' header
should be properly set.
@vankoven
If error on request processing happen, don't close connection immedia…
16a800f 
…tely, serve all pending requests first

Fix #962
@vankoven
rename tfw_http_cli_error_resp_and_log wrappers
93f355e
@vankoven
Fix #899: check for sticky cookie before passing request to cache
339a5ee
@vankoven
fix code review comments
4b7a0c1
@vankoven
Address code review comments
d33e433
@vankoven
Fix rebase glitch
b09b442 
ss_close_sync() was replaced by tfw_connection_close() in current master.
@vankoven
Merge pull request #1141 from tempesta-tech/ik-error-req-fixes
8767e82 
Fixes on serving requests with errors
@krizhanovsky
Fix #1146: ttls_update_checksum() can be called for chunk of ClientHe…
f7dd088 
…llo,

while we still don't know the cipher suite. So calculate two checksums
in parallel and copy SHA256 contex if necessary when ClientHello
sets xfrm.ciphersuite_info.

The rest of the patch, besides ttls_update_checksum() changes, is
coding style adjustments.
@vankoven
Copy link
Contributor

vankoven commented Jan 25, 2019
edited
Loading

Didn't finish the review yet. But it seems that the issue is still here. I've tried to run tests on the CI, and crash on tls.test_tls_stress.StressTls.test_tls still happens. See http://93.115.28.191:4010/#/builders/5/builds/416 . The test was configured to 10 concurrent connections and 10 seconds duration.

@vankoven
Copy link
Contributor

May be related: #1157 . There also a lot of warnings in kernel log during the test. Please see shell_15 output on CI. It's not really readable, but there are some schedule while atomic warnings and a lot of more messages (partly garbaged).

aleksostapenko
aleksostapenko approved these changes Jan 26, 2019
View reviewed changes
Copy link
Contributor

@aleksostapenko aleksostapenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, with minor cleanups.

tls/ttls.c
sizeof(*sha256));
bzero_fast(&hs->ecdh_ctx, sizeof(ttls_ecdh_context));
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant empty line.

tls/tls_internal.h
* @key_cert - chosen key/cert pair (server);
* @sni_key_cert - key/cert list from SNI;
* @sni_ca_chain - trusted CAs from SNI callback;
* @sni_ca_crt - trusted CAs CRLs from SNI;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sni_ca_crt -> sni_ca_crl

@krizhanovsky krizhanovsky mentioned this pull request Jan 27, 2019
Merged
krizhanovsky added a commit that referenced this pull request Jan 29, 2019
@krizhanovsky
Merge pull request #1160 from tempesta-tech/ak-1146
0763dae 
Fix #1146 + some coding style cleanups (orig PR #1156)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aleksostapenko aleksostapenko aleksostapenko approved these changes

@vankoven vankoven Awaiting requested review from vankoven

Assignees

@vankoven vankoven

@aleksostapenko aleksostapenko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@krizhanovsky @vankoven @aleksostapenko @craig @vladtcvs @i-rinat @avbelov23