Adding origin-side ALPN configuration.

Adding the ability for ATS to specify the ALPN string it sends in the
TLS ClientHello handshake.

Author: bneradt

doc/admin-guide/files/records.config.en.rst

@@ -3956,6 +3956,12 @@ Client-Related Configuration
 
    Enables (``1``) or disables (``0``) TLSv1_3 in the ATS client context. If not specified, enabled by default
 
+.. ts:cv:: CONFIG proxy.config.ssl.client.alpn_protocols STRING ""
+   :overridable:
+
+   Set the alpn string that ATS will send to the origin in the ClientHello of
+   TLS handshakes.  By default no ALPN string will be sent.
+
 .. ts:cv:: CONFIG proxy.config.ssl.async.handshake.enabled INT 0
 
    Enables the use of OpenSSL async job during the TLS handshake.  Traffic

include/ts/apidefs.h.in

@@ -884,6 +884,7 @@ typedef enum {
   TS_CONFIG_SSL_CLIENT_SNI_POLICY,
   TS_CONFIG_SSL_CLIENT_PRIVATE_KEY_FILENAME,
   TS_CONFIG_SSL_CLIENT_CA_CERT_FILENAME,
+  TS_CONFIG_SSL_CLIENT_ALPN_PROTOCOLS,
   TS_CONFIG_HTTP_HOST_RESOLUTION_PREFERENCE,
   TS_CONFIG_HTTP_CONNECT_DEAD_POLICY,
   TS_CONFIG_HTTP_MAX_PROXY_CYCLES,

include/tscore/ink_defs.h

@@ -91,6 +91,8 @@ countof(const T (&)[N])
 #define unlikely(x) __builtin_expect(!!(x), 0)
 #endif
 
+#define MAX_ALPN_STRING 30
+
 /* Variables
  */
 extern int off;

iocore/net/I_NetVConnection.h

@@ -228,6 +228,9 @@ struct NetVCOptions {
 
   bool tls_upstream = false;
 
+  unsigned char alpn_protocols_array[MAX_ALPN_STRING];
+  int alpn_protocols_array_size = 0;
+
   /**
    * Set to DISABLED, PERFMISSIVE, or ENFORCED
    * Controls how the server certificate verification is handled

iocore/net/P_SSLConfig.h

@@ -101,6 +101,9 @@ struct SSLConfigParams : public ConfigInfo {
   long ssl_ctx_options;
   long ssl_client_ctx_options;
 
+  unsigned char alpn_protocols_array[MAX_ALPN_STRING];
+  int alpn_protocols_array_size = 0;
+
   char *server_tls13_cipher_suites;
   char *client_tls13_cipher_suites;
   char *server_groups_list;

iocore/net/SSLConfig.cc

@@ -263,6 +263,15 @@ SSLConfigParams::initialize()
   }
 #endif
 
+  // Read in the protocol string for ALPN to origin
+  char *clientALPNProtocols = nullptr;
+  REC_ReadConfigStringAlloc(clientALPNProtocols, "proxy.config.ssl.client.alpn_protocols");
+
+  if (clientALPNProtocols) {
+    this->alpn_protocols_array_size = MAX_ALPN_STRING;
+    convert_alpn_to_wire_format(clientALPNProtocols, this->alpn_protocols_array, this->alpn_protocols_array_size);
+  }
+
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
   REC_ReadConfigInteger(option, "proxy.config.ssl.server.honor_cipher_order");
   if (option) {

iocore/net/SSLNetVConnection.cc

@@ -1163,6 +1163,16 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
         return EVENT_ERROR;
       }
 
+      // If it is negative, we are conscious not setting alpn (e.g. for private server sessions)
+      if (options.alpn_protocols_array_size >= 0) {
+        if (options.alpn_protocols_array_size > 0) {
+          SSL_set_alpn_protos(this->ssl, options.alpn_protocols_array, options.alpn_protocols_array_size);
+        } else if (params->alpn_protocols_array_size > 0) {
+          // Set the ALPN protocols we are requesting.
+          SSL_set_alpn_protos(this->ssl, params->alpn_protocols_array, params->alpn_protocols_array_size);
+        }
+      }
+
       SSL_set_verify(this->ssl, SSL_VERIFY_PEER, verify_callback);
 
       // SNI
@@ -1374,9 +1384,9 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
         }
         this->set_negotiated_protocol_id({reinterpret_cast<const char *>(proto), static_cast<size_t>(len)});
 
-        Debug("ssl", "client selected next protocol '%.*s'", len, proto);
+        Debug("ssl", "Origin selected next protocol '%.*s'", len, proto);
       } else {
-        Debug("ssl", "client did not select a next protocol");
+        Debug("ssl", "Origin did not select a next protocol");
       }
     }
 
@@ -1523,6 +1533,17 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err)
         X509_free(cert);
       }
     }
+    {
+      unsigned char const *proto = nullptr;
+      unsigned int len           = 0;
+      // Make note of the negotiated protocol
+      SSL_get0_alpn_selected(ssl, &proto, &len);
+      if (len == 0) {
+        SSL_get0_next_proto_negotiated(ssl, &proto, &len);
+      }
+      Debug("ssl_alpn", "Negotiated ALPN: %.*s", len, proto);
+      this->set_negotiated_protocol_id({reinterpret_cast<const char *>(proto), static_cast<size_t>(len)});
+    }
 
     // if the handshake is complete and write is enabled reschedule the write
     if (closed == 0 && write.enabled) {

lib/records/I_RecHttp.h

@@ -520,3 +520,26 @@ HttpProxyPort::findHttp(uint16_t family)
     This must be called before any proxy port parsing is done.
 */
 extern void ts_session_protocol_well_known_name_indices_init();
+
+/** Convert the comma separated ALPN protocol list to wire format.
+ *
+ * For the definition of wire format, see the NOTES section in the OpenSSL
+ * description of SSL_CTX_set_alpn_select_cb:
+ *
+ * https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_alpn_select_cb.html
+ *
+ * @param[in] protocols The comma separated list of protocols to convert to
+ *   wire format.
+ *
+ * @param[out] client_alpn_protocols The output ALPN wire format string
+ *   converted from @a protocols.
+ *
+ * @param[in,out] alpn_array_len As an input, this is the size allocated for @a
+ *   client_alpn_protocols. As an output, this is set to the final size of @a
+ *   client_alpn_protocols after conversion.
+ *
+ * @return True if the conversion was successful, false otherwise. Note that
+ * the wire format does not support an empty protocol list, therefore this
+ * function returns false if @a protocols is an empty string.
+ */
+bool convert_alpn_to_wire_format(std::string_view protocols, unsigned char *client_alpn_protocols, int &alpn_array_len);

lib/records/RecHttp.cc

@@ -26,6 +26,7 @@
 #include "tscore/ink_defs.h"
 #include "tscore/TextBuffer.h"
 #include "tscore/Tokenizer.h"
+#include <cstring>
 #include <strings.h>
 #include "tscore/ink_inet.h"
 #include <string_view>
@@ -841,3 +842,75 @@ SessionProtocolNameRegistry::nameFor(int idx) const
 {
   return 0 <= idx && idx < m_n ? m_names[idx] : TextView{};
 }
+
+bool
+convert_alpn_to_wire_format(std::string_view protocols, unsigned char *client_alpn_protocols, int &alpn_array_len)
+{
+  if (protocols.empty()) {
+    return false;
+  }
+
+  // Parse the comma separated protocol string into a list of protocol names.
+  std::vector<std::string_view> alpn_protocols;
+  std::string_view protocol;
+  size_t pos                  = 0;
+  int computed_alpn_array_len = 0;
+  while (pos < protocols.size()) {
+    size_t next_pos = protocols.find(',', pos);
+    if (next_pos == std::string_view::npos) {
+      protocol = protocols.substr(pos);
+      pos      = protocols.size();
+    } else {
+      protocol = protocols.substr(pos, next_pos - pos);
+      pos      = next_pos + 1;
+    }
+    if (protocol.empty()) {
+      Warning("Empty protocol name in configured ALPN list: %.*s", static_cast<int>(protocols.size()), protocols.data());
+      return false;
+    }
+    if (protocol.size() > 255) {
+      // The length has to fit in one byte.
+      Warning("A protocol name larger than 255 bytes in configured ALPN list: %.*s", static_cast<int>(protocols.size()),
+              protocols.data());
+      return false;
+    }
+    // Check whether we recognize the protocol.
+    auto const protocol_index = globalSessionProtocolNameRegistry.indexFor(protocol);
+    if (protocol_index == SessionProtocolNameRegistry::INVALID) {
+      Warning("Unknown protocol name in configured ALPN list: %.*s", static_cast<int>(protocol.size()), protocol.data());
+      return false;
+    }
+    // We currently only support HTTP/1.x protocols toward the origin.
+    if (!HTTP_PROTOCOL_SET.contains(protocol_index)) {
+      Warning("Non-HTTP/1.x protocol name in configured ALPN list: %.*s", static_cast<int>(protocol.size()), protocol.data());
+      return false;
+    }
+
+    auto const protocol_wire_format = globalSessionProtocolNameRegistry.convert_openssl_alpn_wire_format(protocol_index);
+    computed_alpn_array_len += protocol_wire_format.size();
+    if (computed_alpn_array_len > alpn_array_len) {
+      // We have exceeded the size of the output buffer.
+      Warning("The output ALPN length is larger than the input buffer size of %d bytes", alpn_array_len);
+      return false;
+    }
+
+    alpn_protocols.push_back(protocol_wire_format);
+  }
+  if (alpn_protocols.empty()) {
+    Warning("No protocols specified in ALPN list: %.*s", static_cast<int>(protocols.size()), protocols.data());
+    return false;
+  }
+
+  // All checks pass and the protocols are parsed. Write the result to the
+  // output buffer.
+  auto *start = client_alpn_protocols;
+  auto *end   = start;
+  for (auto &protocol : alpn_protocols) {
+    auto const len = protocol.size();
+    memcpy(end, protocol.data(), len);
+    end += len;
+  }
+  alpn_array_len = computed_alpn_array_len;
+  Debug("ssl_alpn", "Successfully converted ALPN list to wire format: %.*s", static_cast<int>(protocols.size()), protocols.data());
+  return true;
+}

lib/records/unit_tests/test_RecHttp.cc

@@ -18,15 +18,17 @@
    the License.
  */
 
+#include <array>
 #include <string>
 #include <string_view>
-#include <array>
+#include <vector>
 
 #include "catch.hpp"
 
 #include "tscore/BufferWriter.h"
 #include "records/I_RecHttp.h"
 #include "test_Diags.h"
+#include "tscore/ink_defs.h"
 
 using ts::TextView;
 
@@ -97,3 +99,119 @@ TEST_CASE("RecHttp", "[librecords][RecHttp]")
     REQUIRE(view.find(":proto") == TextView::npos); // it's default, should not have this.
   }
 }
+
+struct ConvertAlpnToWireFormatTestCase {
+  std::string description;
+  std::string alpn_input;
+  unsigned char expected_alpn_wire_format[MAX_ALPN_STRING] = {0};
+  int expected_alpn_wire_format_len                        = MAX_ALPN_STRING;
+  bool expected_return                                     = true;
+};
+
+// The following test cases assume that the input array is initialized with {
+// 0xab }, and thus expects that as the output on failure.
+// clang-format off
+std::vector<ConvertAlpnToWireFormatTestCase> convertAlpnToWireFormatTestCases = {
+  // --------------------------------------------------------------------------
+  // Malformed input.
+  // --------------------------------------------------------------------------
+  {
+    "Empty input protocol list",
+    "",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  {
+    "Include an empty protocol in the list",
+    "http/1.1,,http/1.0",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  {
+    "A protocol that exceeds the output buffer length (MAX_ALPN_STRING)",
+    "some_really_long_protocol_name_that_exceeds_the_output_buffer_length_that_is_MAX_ALPN_STRING",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  {
+    "The sum of protocols exceeds the output buffer length (MAX_ALPN_STRING)",
+    "protocol_one,protocol_two,protocol_three",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  {
+    "A protocol that exceeds the length described by a single byte (255)",
+    "some_really_long_protocol_name_that_exceeds_255_bytes_some_really_long_protocol_name_that_exceeds_255_bytes_some_really_long_protocol_name_that_exceeds_255_bytes_some_really_long_protocol_name_that_exceeds_255_bytes_some_really_long_protocol_name_that_exceeds_255_bytes",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  // --------------------------------------------------------------------------
+  // Unsupported protocols.
+  // --------------------------------------------------------------------------
+  {
+    "Unrecognized protocol: HTTP/6",
+    "h6",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  {
+    "Single protocol: HTTP/2 (currently unsupported)",
+    "h2",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  {
+    "Single protocol: HTTP/3 (currently unsupported)",
+    "h3",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  {
+    "Both HTTP/1.1 and HTTP/2 (HTTP/2 is currently unsupported)",
+    "h2,http/1.1",
+    { 0xab },
+    MAX_ALPN_STRING,
+    false
+  },
+  // --------------------------------------------------------------------------
+  // Happy cases.
+  // --------------------------------------------------------------------------
+  {
+    "Single protocol: HTTP/1.1",
+    "http/1.1",
+    {0x08, 'h', 't', 't', 'p', '/', '1', '.', '1'},
+    9,
+    true
+  },
+  {
+    "Multiple protocols: HTTP/0.9, HTTP/1.0, HTTP/1.1",
+    "http/1.1,http/1.0,http/0.9",
+    {0x08, 'h', 't', 't', 'p', '/', '1', '.', '1', 0x08, 'h', 't', 't', 'p', '/', '1', '.', '0', 0x08, 'h', 't', 't', 'p', '/', '0', '.', '9'},
+    27,
+    true
+  },
+};
+// clang-format on
+
+TEST_CASE("convert_alpn_to_wire_format", "[librecords][RecHttp]")
+{
+  for (auto const &test_case : convertAlpnToWireFormatTestCases) {
+    SECTION(test_case.description)
+    {
+      unsigned char alpn_wire_format[MAX_ALPN_STRING] = {0xab};
+      int alpn_wire_format_len                        = MAX_ALPN_STRING;
+      auto const result = convert_alpn_to_wire_format(test_case.alpn_input, alpn_wire_format, alpn_wire_format_len);
+      REQUIRE(result == test_case.expected_return);
+      REQUIRE(alpn_wire_format_len == test_case.expected_alpn_wire_format_len);
+      REQUIRE(memcmp(alpn_wire_format, test_case.expected_alpn_wire_format, test_case.expected_alpn_wire_format_len) == 0);
+    }
+  }
+}