This is an automated email from the ASF dual-hosted git repository. bneradt pushed a commit to branch 11-Dev in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 90f8301a8d6aab139e319707f8bd7c044174a4ba Merge: ce18c3f23f c9fb43eac2 Author: Brian Neradt <[email protected]> AuthorDate: Fri Oct 10 21:46:46 2025 +0000 Merge master into 11-Dev Conflicts: include/iocore/net/TLSSessionResumptionSupport.h src/iocore/net/SSLSessionCache.cc src/iocore/net/TLSSessionResumptionSupport.cc CMakeLists.txt | 2 + cmake/ExperimentalPlugins.cmake | 1 + contrib/docker/ubuntu/noble/Dockerfile | 5 +- doc/admin-guide/configuration/hrw4u.en.rst | 75 +- doc/admin-guide/files/records.yaml.en.rst | 7 +- doc/admin-guide/files/remap.config.en.rst | 29 + doc/admin-guide/files/sni.yaml.en.rst | 2 +- doc/admin-guide/logging/formatting.en.rst | 12 + .../monitoring/statistics/core/ssl.en.rst | 10 +- doc/admin-guide/plugins/compress.en.rst | 12 + doc/admin-guide/plugins/header_rewrite.en.rst | 19 +- doc/admin-guide/plugins/index.en.rst | 4 + doc/admin-guide/plugins/realip.en.rst | 86 ++ doc/admin-guide/plugins/xdebug.en.rst | 27 +- .../api/functions/TSHttpHdrStatusSet.en.rst | 15 + .../api/functions/TSHttpTxnStatusSet.en.rst | 67 + .../api/functions/TSHttpTxnVerifiedAddrSet.en.rst | 69 + doc/static/languages.json | 2 + example/plugins/c-api/basic_auth/basic_auth.cc | 2 +- example/plugins/c-api/denylist_0/denylist_0.cc | 2 +- example/plugins/c-api/denylist_1/denylist_1.cc | 2 +- example/plugins/c-api/redirect_1/redirect_1.cc | 2 +- example/plugins/c-api/remap/remap.cc | 2 +- example/plugins/c-api/secure_link/secure_link.cc | 2 +- include/cripts/Connections.hpp | 4 + include/cripts/Context.hpp | 6 + include/iocore/net/TLSBasicSupport.h | 20 +- include/iocore/net/TLSSessionResumptionSupport.h | 73 +- include/proxy/IPAllow.h | 2 +- include/proxy/ProxyTransaction.h | 20 + include/proxy/hdrs/URL.h | 10 + include/proxy/http/HttpTransact.h | 5 +- include/proxy/http/HttpUserAgent.h | 34 +- include/proxy/http/remap/UrlMappingPathIndex.h | 2 +- include/proxy/logging/LogAccess.h | 36 +- include/ts/ts.h | 37 +- include/tscore/ink_config.h.cmake.in | 2 + include/tsutil/Regex.h | 26 + lib/swoc/CMakeLists.txt | 4 +- lib/swoc/include/swoc/IPRange.h | 29 +- lib/swoc/include/swoc/swoc_version.h | 4 +- plugins/authproxy/authproxy.cc | 2 +- plugins/background_fetch/background_fetch.cc | 4 + plugins/cachekey/CMakeLists.txt | 9 + plugins/cachekey/tests/pattern_test.cc | 66 - plugins/cachekey/unit_tests/pattern_test.cc | 121 ++ plugins/compress/compress.cc | 5 +- plugins/compress/configuration.cc | 32 +- plugins/compress/configuration.h | 15 +- plugins/compress/misc.h | 2 +- plugins/esi/CMakeLists.txt | 4 +- plugins/esi/combo_handler.cc | 23 +- plugins/esi/esi.cc | 171 ++- plugins/esi/http_utils.cc | 62 + plugins/esi/{lib/EsiGunzip.h => http_utils.h} | 48 +- plugins/esi/lib/EsiGunzip.h | 5 +- plugins/esi/lib/EsiGzip.cc | 2 +- plugins/esi/lib/EsiGzip.h | 7 +- plugins/esi/lib/EsiParser.cc | 10 +- plugins/esi/lib/EsiParser.h | 4 +- plugins/esi/lib/EsiProcessor.cc | 9 +- plugins/esi/lib/EsiProcessor.h | 4 +- plugins/esi/serverIntercept.cc | 5 +- plugins/experimental/CMakeLists.txt | 3 + plugins/experimental/access_control/plugin.cc | 10 +- .../experimental/cache_fill/background_fetch.cc | 4 + plugins/experimental/cookie_remap/cookie_remap.cc | 8 +- plugins/experimental/geoip_acl/geoip_acl.cc | 2 +- plugins/experimental/http_stats/http_stats.cc | 2 +- plugins/experimental/icap/icap_plugin.cc | 2 +- plugins/experimental/maxmind_acl/maxmind_acl.cc | 2 +- plugins/experimental/mp4/mp4.cc | 2 +- plugins/experimental/rate_limit/rate_limit.cc | 2 +- plugins/experimental/rate_limit/txn_limiter.cc | 2 +- .../realip}/CMakeLists.txt | 11 +- plugins/experimental/realip/address_setter.cc | 43 + plugins/experimental/realip/address_setter.h | 36 + plugins/experimental/realip/address_source.cc | 72 + plugins/experimental/realip/address_source.h | 41 + plugins/experimental/realip/pp.cc | 52 + plugins/experimental/realip/pp.h | 34 + plugins/experimental/realip/realip.cc | 67 + plugins/experimental/realip/realip.h | 23 + plugins/experimental/realip/simple.cc | 76 + plugins/experimental/realip/simple.h | 34 + plugins/experimental/tls_bridge/tls_bridge.cc | 2 +- plugins/experimental/txn_box/plugin/src/ts_util.cc | 4 +- plugins/experimental/uri_signing/uri_signing.cc | 2 +- plugins/experimental/url_sig/url_sig.cc | 2 +- plugins/experimental/wasm/ats_context.cc | 4 +- plugins/header_rewrite/conditions.cc | 3 + plugins/header_rewrite/conditions.h | 6 + plugins/header_rewrite/factory.cc | 2 + plugins/header_rewrite/header_rewrite.cc | 133 +- plugins/header_rewrite/operators.cc | 56 +- plugins/header_rewrite/operators.h | 25 + plugins/header_rewrite/parser.cc | 23 +- plugins/header_rewrite/resources.cc | 12 +- plugins/header_rewrite/statement.h | 6 +- plugins/lua/ts_lua_client_response.cc | 4 +- plugins/lua/ts_lua_http.cc | 4 +- plugins/lua/ts_lua_server_response.cc | 2 +- plugins/origin_server_auth/origin_server_auth.cc | 4 +- plugins/prefetch/plugin.cc | 2 +- plugins/regex_remap/regex_remap.cc | 6 +- plugins/remap_purge/remap_purge.cc | 2 +- plugins/statichit/statichit.cc | 4 +- plugins/stats_over_http/stats_over_http.cc | 2 +- plugins/xdebug/CMakeLists.txt | 9 +- plugins/xdebug/unit_tests/test_xdebug_utils.cc | 195 +++ plugins/xdebug/xdebug.cc | 72 +- plugins/xdebug/xdebug_transforms.cc | 141 +- plugins/xdebug/xdebug_types.h | 14 + plugins/xdebug/xdebug_utils.cc | 108 ++ plugins/xdebug/xdebug_utils.h | 57 + src/api/InkAPI.cc | 60 +- src/cripts/Error.cc | 2 +- src/cripts/Headers.cc | 4 +- src/cripts/Urls.cc | 29 +- src/iocore/cache/CacheVC.cc | 5 +- src/iocore/cache/CacheVC.h | 3 +- src/iocore/net/P_QUICNetVConnection.h | 7 +- src/iocore/net/P_SSLNetVConnection.h | 6 +- src/iocore/net/P_SSLUtils.h | 5 +- src/iocore/net/QUICNetVConnection.cc | 18 +- src/iocore/net/ReadWriteEventIO.cc | 3 +- src/iocore/net/SSLNetVConnection.cc | 65 +- src/iocore/net/SSLSessionCache.cc | 10 +- src/iocore/net/SSLSessionCache.h | 20 +- src/iocore/net/SSLStats.cc | 4 + src/iocore/net/SSLStats.h | 16 +- src/iocore/net/SSLUtils.cc | 26 + src/iocore/net/Server.cc | 3 +- src/iocore/net/TLSBasicSupport.cc | 17 +- src/iocore/net/TLSSessionResumptionSupport.cc | 63 +- src/iocore/net/UnixNetVConnection.cc | 5 + src/mgmt/rpc/handlers/server/Server.cc | 14 + src/proxy/ControlMatcher.cc | 21 +- src/proxy/IPAllow.cc | 3 + src/proxy/hdrs/HdrHeap.cc | 2 +- src/proxy/hdrs/HdrToken.cc | 2 +- src/proxy/hdrs/MIME.cc | 22 +- src/proxy/hdrs/URL.cc | 92 +- src/proxy/hdrs/test_urlhash.cc | 4 +- src/proxy/hdrs/unit_tests/test_URL.cc | 2 + src/proxy/http/HttpDebugNames.cc | 6 - src/proxy/http/HttpSM.cc | 52 +- src/proxy/http/HttpSessionManager.cc | 6 + src/proxy/http/HttpTransact.cc | 6 +- src/proxy/http/remap/RemapConfig.cc | 5 +- src/proxy/http/remap/RemapProcessor.cc | 25 +- src/proxy/http/remap/UrlMappingPathIndex.cc | 10 +- src/proxy/http/remap/UrlRewrite.cc | 16 + src/proxy/http/remap/unit-tests/test_RemapRules.cc | 56 + src/proxy/http2/Http2ConnectionState.cc | 5 +- src/proxy/logging/Log.cc | 10 + src/proxy/logging/LogAccess.cc | 118 +- src/proxy/logging/LogFile.cc | 37 +- src/records/RecordsConfig.cc | 2 +- src/traffic_logstats/logstats.cc | 22 +- src/traffic_server/traffic_server.cc | 4 +- src/tscore/unit_tests/test_layout.cc | 5 + src/tscpp/api/Transaction.cc | 2 +- src/tsutil/Regex.cc | 55 +- src/tsutil/unit_tests/test_Regex.cc | 42 +- tests/gold_tests/autest-site/curl.test.ext | 8 +- .../gold_tests/autest-site/trafficserver.test.ext | 23 +- tests/gold_tests/cache/background_fill.test.py | 27 +- .../cache/cache-generation-clear.test.py | 1 - .../cache/cache-generation-disjoint.test.py | 1 - .../cache/disjoint-wait-for-cache.test.py | 1 - .../cache/gold/background_fill_0_stderr_H.gold | 6 +- .../cache/gold/background_fill_0_stderr_W.gold | 15 - .../cache/gold/background_fill_1_stderr_H.gold | 6 +- .../cache/gold/background_fill_1_stderr_W.gold | 15 - .../cache/gold/background_fill_2_stderr_H.gold | 6 +- .../cache/gold/background_fill_2_stderr_W.gold | 15 - .../cache/gold/background_fill_3_stdout.gold | 4 +- tests/gold_tests/cache/replay/bg_fill.yaml | 2 + tests/gold_tests/connect/connect.test.py | 2 +- tests/gold_tests/cripts/cripts.test.py | 19 +- tests/gold_tests/h2/h2spec.test.py | 2 +- .../gold_tests/h2/http2_concurrent_streams.test.py | 58 + tests/gold_tests/h2/httpbin.test.py | 2 +- tests/gold_tests/h2/nghttp.test.py | 2 +- .../h2/replay/http2_concurrent_streams.replay.yaml | 93 ++ tests/gold_tests/ip_allow/gold/log.gold | 6 +- tests/gold_tests/ip_allow/ip_allow.test.py | 24 +- tests/gold_tests/ip_allow/run_sed.sh | 4 +- tests/gold_tests/logging/log-filenames.test.py | 8 +- tests/gold_tests/logging/new_log_flds.test.py | 2 +- .../compress/compress-content-type-params.test.py | 68 + .../compress/etc/ignore-params-false.config | 6 + .../compress/etc/ignore-params-true.config | 6 + .../compress-content-type-params.replay.yaml | 73 + tests/gold_tests/pluginTest/esi/esi.test.py | 2 +- .../pluginTest/esi/esi_nested_include.replay.yaml | 77 + .../pluginTest/esi/esi_nested_include.test.py | 130 +- .../header_rewrite/gold/header_rewrite-502.gold | 5 + .../gold/header_rewrite_effective_address.gold | 7 + .../header_rewrite/gold/plugin-status-test.gold | 2 + .../header_rewrite/header_rewrite.test.py | 46 +- .../header_rewrite_effective_address.test.py | 56 + .../pluginTest/header_rewrite/rules/rule.conf | 6 +- .../{rule.conf => rule_effective_address.conf} | 8 +- .../polite_hook_wait/polite_hook_wait.cc | 2 +- tests/gold_tests/pluginTest/tsapi/CMakeLists.txt | 1 + .../rule.conf => tsapi/hrw_verified_addr.conf} | 4 +- .../pluginTest/tsapi/test_TSHttpSsnInfo.test.py | 2 +- .../pluginTest/tsapi/test_TSHttpTxnVerifiedAddr.cc | 81 ++ .../tsapi/test_TSHttpTxnVerifiedAddr.test.py | 65 + .../pluginTest/tsapi/test_TSVConnPPInfo.test.py | 2 +- .../xdebug/x_probe_full_json/gold/jq.gold | 3 - .../xdebug/x_probe_full_json/gold/jq_escaped.gold | 3 + .../xdebug/x_probe_full_json/gold/jq_hex.gold | 3 + .../xdebug/x_probe_full_json/gold/jq_nobody.gold | 3 + .../x_probe_full_json.replay.yaml | 80 +- .../x_probe_full_json/x_probe_full_json.test.py | 55 +- .../remap/gold/map-with-recv-port-ip.gold | 13 + .../remap/gold/map-with-recv-port-unix.gold | 13 + tests/gold_tests/remap/map_with_recv_port.test.py | 82 ++ tests/gold_tests/remap/remap_acl.test.py | 134 +- tests/gold_tests/tls/ssl_key_dialog.test.py | 12 +- tests/gold_tests/traffic_ctl/gold/diff.gold | 3 + tests/gold_tests/traffic_ctl/gold/diff_yaml.gold | 1 + .../traffic_ctl/traffic_ctl_server_output.test.py | 13 +- tests/tools/plugins/custom204plugin.cc | 2 +- tests/tools/plugins/user_args.cc | 2 +- tools/hrw4u/LSP_README.md | 59 + tools/hrw4u/Makefile | 94 +- tools/hrw4u/bootstrap.sh | 4 + tools/hrw4u/grammar/hrw4u.g4 | 28 +- tools/hrw4u/grammar/u4wrh.g4 | 33 +- tools/hrw4u/pyproject.toml | 6 +- tools/hrw4u/requirements.txt | 1 + tools/hrw4u/scripts/hrw4u | 12 +- tools/hrw4u/scripts/hrw4u-kg | 308 ++++ tools/hrw4u/scripts/hrw4u-lsp | 611 ++++++++ tools/hrw4u/scripts/testcase.py | 10 +- tools/hrw4u/scripts/u4wrh | 12 +- tools/hrw4u/src/common.py | 240 +++- tools/hrw4u/src/debugging.py | 20 +- tools/hrw4u/src/errors.py | 116 +- tools/hrw4u/src/generators.py | 177 +++ tools/hrw4u/src/hrw_symbols.py | 147 +- tools/hrw4u/src/hrw_visitor.py | 504 ++++--- tools/hrw4u/src/interning.py | 112 ++ tools/hrw4u/src/kg_visitor.py | 560 ++++++++ .../run_sed.sh => tools/hrw4u/src/lsp/__init__.py | 11 +- tools/hrw4u/src/lsp/completions.py | 287 ++++ tools/hrw4u/src/lsp/documentation.py | 1485 ++++++++++++++++++++ tools/hrw4u/src/lsp/hover.py | 664 +++++++++ tools/hrw4u/src/lsp/strings.py | 305 ++++ tools/hrw4u/src/lsp/types.py | 114 ++ tools/hrw4u/src/script_common.py | 145 -- tools/hrw4u/src/states.py | 133 +- tools/hrw4u/src/suggestions.py | 156 ++ tools/hrw4u/src/symbols.py | 251 ++-- tools/hrw4u/src/symbols_base.py | 144 ++ tools/hrw4u/src/tables.py | 367 +++-- tools/hrw4u/src/types.py | 98 +- tools/hrw4u/src/validation.py | 121 +- tools/hrw4u/src/visitor.py | 621 +++++--- tools/hrw4u/src/visitor_base.py | 449 ++++++ tools/hrw4u/tests/data/conds/access.ast.txt | 2 +- .../tests/data/conds/bad_regex.fail.error.txt | 3 + .../tests/data/conds/bad_regex.fail.input.txt | 5 + tools/hrw4u/tests/data/conds/cache.ast.txt | 2 +- tools/hrw4u/tests/data/conds/capture.ast.txt | 2 +- tools/hrw4u/tests/data/conds/certs.ast.txt | 1 + tools/hrw4u/tests/data/conds/certs.input.txt | 28 + tools/hrw4u/tests/data/conds/certs.output.txt | 23 + tools/hrw4u/tests/data/conds/cidr.ast.txt | 2 +- tools/hrw4u/tests/data/conds/cookie.ast.txt | 2 +- tools/hrw4u/tests/data/conds/exceptions.txt | 5 + tools/hrw4u/tests/data/conds/from-url.ast.txt | 2 +- tools/hrw4u/tests/data/conds/geo.ast.txt | 2 +- tools/hrw4u/tests/data/conds/http-cntl.ast.txt | 2 +- tools/hrw4u/tests/data/conds/if-elif.ast.txt | 2 +- tools/hrw4u/tests/data/conds/impl-expr.ast.txt | 2 +- .../hrw4u/tests/data/conds/implicit-cmp.input.txt | 13 + .../hrw4u/tests/data/conds/implicit-cmp.output.txt | 11 + tools/hrw4u/tests/data/conds/in-sets.ast.txt | 1 + tools/hrw4u/tests/data/conds/in-sets.input.txt | 5 + tools/hrw4u/tests/data/conds/in-sets.output.txt | 3 + tools/hrw4u/tests/data/conds/inbound.ast.txt | 2 +- tools/hrw4u/tests/data/conds/internal.ast.txt | 2 +- tools/hrw4u/tests/data/conds/ip.ast.txt | 2 +- tools/hrw4u/tests/data/conds/long-if.ast.txt | 2 +- tools/hrw4u/tests/data/conds/method.ast.txt | 2 +- tools/hrw4u/tests/data/conds/multi-if.ast.txt | 2 +- tools/hrw4u/tests/data/conds/now.ast.txt | 2 +- tools/hrw4u/tests/data/conds/outbound.ast.txt | 2 +- tools/hrw4u/tests/data/conds/split-if.ast.txt | 2 +- tools/hrw4u/tests/data/conds/to-url.ast.txt | 2 +- tools/hrw4u/tests/data/conds/true_false.ast.txt | 2 +- tools/hrw4u/tests/data/conds/txn-count.ast.txt | 2 +- .../hrw4u/tests/data/examples/add-cc-path.ast.txt | 2 +- .../hrw4u/tests/data/examples/all-nonsense.ast.txt | 1 + .../tests/data/examples/all-nonsense.input.txt | 215 +++ .../tests/data/examples/all-nonsense.output.txt | 254 ++++ tools/hrw4u/tests/data/examples/conn-drain.ast.txt | 2 +- tools/hrw4u/tests/data/examples/dbg-req.ast.txt | 2 +- tools/hrw4u/tests/data/examples/exceptions.txt | 5 + tools/hrw4u/tests/data/examples/hdr-exists.ast.txt | 2 +- tools/hrw4u/tests/data/examples/hsts.ast.txt | 2 +- tools/hrw4u/tests/data/examples/int-header.ast.txt | 2 +- .../hrw4u/tests/data/examples/int-header.input.txt | 1 + .../tests/data/examples/int-header.output.txt | 1 + .../tests/data/examples/meth-resp-hdr.ast.txt | 2 +- .../hrw4u/tests/data/examples/norm_status.ast.txt | 2 +- tools/hrw4u/tests/data/examples/path-ext.ast.txt | 2 +- .../hrw4u/tests/data/examples/rem_org_auth.ast.txt | 2 +- tools/hrw4u/tests/data/examples/rm-cc-out.ast.txt | 2 +- .../hrw4u/tests/data/examples/rm-cc-out.input.txt | 1 + .../hrw4u/tests/data/examples/rm-cc-out.output.txt | 1 + tools/hrw4u/tests/data/examples/rm-int-hdr.ast.txt | 2 +- tools/hrw4u/tests/data/examples/rm-query.ast.txt | 2 +- tools/hrw4u/tests/data/examples/run-plugin.ast.txt | 2 +- tools/hrw4u/tests/data/examples/teapots.ast.txt | 2 +- tools/hrw4u/tests/data/examples/useless.ast.txt | 2 +- tools/hrw4u/tests/data/examples/uuid.ast.txt | 2 +- tools/hrw4u/tests/data/examples/x-debug.ast.txt | 2 +- .../data/hooks/invalid_section.fail.error.txt | 2 +- tools/hrw4u/tests/data/hooks/read_response.ast.txt | 2 +- tools/hrw4u/tests/data/hooks/remap.ast.txt | 2 +- tools/hrw4u/tests/data/hooks/send_request.ast.txt | 2 +- tools/hrw4u/tests/data/hooks/send_response.ast.txt | 2 +- tools/hrw4u/tests/data/ops/dscp.ast.txt | 2 +- tools/hrw4u/tests/data/ops/dscp.input.txt | 1 + tools/hrw4u/tests/data/ops/dscp.output.txt | 1 + tools/hrw4u/tests/data/ops/expansion.ast.txt | 2 +- .../data/ops/http_cntl_invalid_bool.fail.error.txt | 1 + .../data/ops/http_cntl_invalid_bool.fail.input.txt | 3 + .../data/ops/http_cntl_quoted_bool.fail.error.txt | 1 + .../data/ops/http_cntl_quoted_bool.fail.input.txt | 3 + .../tests/data/ops/http_cntl_valid_bools.ast.txt | 1 + .../tests/data/ops/http_cntl_valid_bools.input.txt | 19 + .../data/ops/http_cntl_valid_bools.output.txt | 18 + tools/hrw4u/tests/data/ops/no-op.ast.txt | 2 +- tools/hrw4u/tests/data/ops/qsa.input.txt | 2 + tools/hrw4u/tests/data/ops/qsa.output.txt | 3 +- tools/hrw4u/tests/data/ops/redirect.ast.txt | 2 +- tools/hrw4u/tests/data/ops/set-body.ast.txt | 2 +- tools/hrw4u/tests/data/ops/set-conf.ast.txt | 2 +- tools/hrw4u/tests/data/ops/set-destination.ast.txt | 1 + .../hrw4u/tests/data/ops/set-destination.input.txt | 7 + .../tests/data/ops/set-destination.output.txt | 5 + tools/hrw4u/tests/data/ops/set-plugin-cntl.ast.txt | 1 + .../hrw4u/tests/data/ops/set-plugin-cntl.input.txt | 9 + .../tests/data/ops/set-plugin-cntl.output.txt | 7 + tools/hrw4u/tests/data/ops/skip-remap.ast.txt | 2 +- tools/hrw4u/tests/data/ops/skip-remap.output.txt | 2 +- .../data/ops/skip_remap_quoted_bool.fail.error.txt | 1 + .../data/ops/skip_remap_quoted_bool.fail.input.txt | 3 + tools/hrw4u/tests/data/ops/status.ast.txt | 2 +- tools/hrw4u/tests/data/vars/assign.ast.txt | 2 +- tools/hrw4u/tests/data/vars/bool.ast.txt | 2 +- tools/hrw4u/tests/data/vars/int16.ast.txt | 2 +- tools/hrw4u/tests/data/vars/int8.ast.txt | 2 +- tools/hrw4u/tests/data/vars/typos.fail.error.txt | 3 + tools/hrw4u/tests/data/vars/typos.fail.input.txt | 7 + tools/hrw4u/tests/lsp_asserts.py | 197 +++ tools/hrw4u/tests/test_conds.py | 8 + tools/hrw4u/tests/test_conds_reverse.py | 2 +- tools/hrw4u/tests/test_examples_reverse.py | 2 +- tools/hrw4u/tests/test_hooks_reverse.py | 2 +- tools/hrw4u/tests/test_lsp.py | 652 +++++++++ tools/hrw4u/tests/test_ops.py | 7 + tools/hrw4u/tests/test_ops_reverse.py | 2 +- tools/hrw4u/tests/test_units.py | 288 ++++ tools/hrw4u/tests/test_vars_reverse.py | 2 +- tools/hrw4u/tests/utils.py | 201 ++- 373 files changed, 13563 insertions(+), 2249 deletions(-) diff --cc include/iocore/net/TLSSessionResumptionSupport.h index 086ccbfaf5,80c25d96d6..38eb5d4a5c --- a/include/iocore/net/TLSSessionResumptionSupport.h +++ b/include/iocore/net/TLSSessionResumptionSupport.h @@@ -48,12 -73,44 +73,31 @@@ public int processSessionTicket(SSL *ssl, unsigned char *keyname, unsigned char *iv, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hctx, int enc); #endif - bool getSSLSessionCacheHit() const; - bool getSSLOriginSessionCacheHit() const; - ssl_curve_id getSSLCurveNID() const; + // --------------------------------------------------------------------------- + // TLS Session Resumption Support Via Server Session Caching + // --------------------------------------------------------------------------- - - /** Retrieves a cached SSL session from the session cache. - * - * This function is used to retrieve a cached SSL session from the session cache. - * - * @param[in] ssl The SSL connection object. - * @param[in] id The session ID to lookup. - * @param[in] len The length of the session ID. - * @param[out] copy Pointer to an integer indicating if the session ID should be copied. - * @return A pointer to the cached SSL session, or nullptr if not found. - */ - SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int *copy); - + /** + * @brief Retrieves a cached SSL session from the origin session cache. + * + * This function is used to retrieve a cached SSL session from the origin session cache. + * + * @param[in] lookup_key The key to lookup the session in the cache. + * @return A pointer to the cached SSL session, or nullptr if not found. + */ std::shared_ptr<SSL_SESSION> getOriginSession(const std::string &lookup_key); + // --------------------------------------------------------------------------- + // Getters used for both ticket and session caching + // --------------------------------------------------------------------------- + + bool getIsResumedSSLSession() const; + bool getIsResumedOriginSSLSession() const; + bool getIsResumedFromSessionCache() const; + bool getIsResumedFromSessionTicket() const; + ssl_curve_id getSSLCurveNID() const; + std::string_view getSSLGroupName() const; + protected: void clear(); virtual const IpEndpoint &_getLocalEndpoint() = 0; diff --cc src/iocore/net/SSLSessionCache.h index 501df2a0a3,769c20adf1..ff78e8f0e1 --- a/src/iocore/net/SSLSessionCache.h +++ b/src/iocore/net/SSLSessionCache.h @@@ -37,8 -46,160 +46,11 @@@ struct ssl_session_cache_exdata { ssl_curve_id curve = 0; + + /** The TLS group name, gauranteed to be null-terminated. */ + char group_name[SSL_MAX_GROUP_NAME_SIZE] = {'\0'}; }; -inline void -hash_combine(uint64_t &seed, uint64_t hash) -{ - // using boost's version of hash combine, substituting magic number with a 64bit version - // https://www.boost.org/doc/libs/1_43_0/doc/html/hash/reference.html#boost.hash_combine - seed ^= hash + 0x9E3779B97F4A7C15 + (seed << 6) + (seed >> 2); -} - -struct SSLSessionID : public TSSslSessionID { - SSLSessionID(const unsigned char *s, size_t l) - { - len = l; - ink_release_assert(l <= sizeof(bytes)); - memcpy(bytes, s, l); - hash(); - } - - SSLSessionID(const SSLSessionID &other) - { - if (other.len) { - memcpy(bytes, other.bytes, other.len); - } - - len = other.len; - hash(); - } - - bool - operator<(const SSLSessionID &other) const - { - if (len != other.len) { - return len < other.len; - } - - return (memcmp(bytes, other.bytes, len) < 0); - } - - SSLSessionID & - operator=(const SSLSessionID &other) - { - if (other.len) { - memcpy(bytes, other.bytes, other.len); - } - - len = other.len; - return *this; - } - - bool - operator==(const SSLSessionID &other) const - { - if (len != other.len) { - return false; - } - - // memcmp returns 0 on equal - return (memcmp(bytes, other.bytes, len) == 0); - } - - const char * - toString(char *buf, size_t buflen) const - { - char *cur_pos = buf; - for (size_t i = 0; i < len && buflen > 0; ++i) { - if (buflen > 2) { // we have enough space for 3 bytes, 2 hex and 1 null terminator - snprintf(cur_pos, 3 /* including a null terminator */, "%02hhX", static_cast<unsigned char>(bytes[i])); - cur_pos += 2; - buflen -= 2; - } else { // not enough space for any more hex bytes, just null terminate - *cur_pos = '\0'; - break; - } - } - return buf; - } - - uint64_t - hash() const - { - // because the session ids should be uniformly random, we can treat the bits as a hash value - // however we need to combine them if the length is longer than 64bits - if (len >= sizeof(uint64_t)) { - uint64_t seed = 0; - for (uint64_t i = 0; i < len; i += sizeof(uint64_t)) { - hash_combine(seed, static_cast<uint64_t>(bytes[i])); - } - return seed; - } else if (len) { - return static_cast<uint64_t>(bytes[0]); - } else { - return 0; - } - } -}; - -class SSLSession -{ -public: - SSLSessionID session_id; - Ptr<IOBufferData> asn1_data; /* this is the ASN1 representation of the SSL_CTX */ - size_t len_asn1_data; - Ptr<IOBufferData> extra_data; - - SSLSession(const SSLSessionID &id, const Ptr<IOBufferData> &ssl_asn1_data, size_t len_asn1, Ptr<IOBufferData> &exdata) - : session_id(id), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1), extra_data(exdata) - { - } - - LINK(SSLSession, link); -}; - -class SSLSessionBucket -{ -public: - SSLSessionBucket(); - ~SSLSessionBucket(); - void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl); - bool getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data); - int getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len); - void removeSession(const SSLSessionID &sid); - -private: - /* these method must be used while hold the lock */ - void print(const char *) const; - void removeOldestSession(const std::unique_lock<ts::shared_mutex> &lock); - - mutable ts::shared_mutex mutex; - CountQueue<SSLSession> bucket_que; - std::map<SSLSessionID, SSLSession *> bucket_map; -}; - -class SSLSessionCache -{ -public: - bool getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data) const; - int getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len) const; - void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl); - void removeSession(const SSLSessionID &sid); - SSLSessionCache(); - ~SSLSessionCache(); - - SSLSessionCache(const SSLSessionCache &) = delete; - SSLSessionCache &operator=(const SSLSessionCache &) = delete; - -private: - SSLSessionBucket *session_bucket = nullptr; - size_t nbuckets; -}; - class SSLOriginSession { public: diff --cc src/iocore/net/SSLStats.h index 8f879487c6,9e2cdc428f..552d0b2407 --- a/src/iocore/net/SSLStats.h +++ b/src/iocore/net/SSLStats.h @@@ -96,10 -98,17 +97,17 @@@ struct SSLStatsBlock Metrics::Counter::AtomicType *user_agent_version_too_high = nullptr; Metrics::Counter::AtomicType *user_agent_version_too_low = nullptr; Metrics::Counter::AtomicType *user_agent_wrong_version = nullptr; - Metrics::Gauge::AtomicType *user_agent_session_hit = nullptr; - Metrics::Gauge::AtomicType *user_agent_session_miss = nullptr; - Metrics::Gauge::AtomicType *user_agent_session_timeout = nullptr; - Metrics::Gauge::AtomicType *user_agent_sessions = nullptr; + - // Note: The following user_agent_session_* metrics are implemented as Gauge types - // even though they semantically represent cumulative counters. This is because - // they are periodically synchronized from external counter sources (OpenSSL's - // built-in session cache or ATS's session cache) and need to be "set" to specific - // values rather than incremented. From a monitoring perspective, these should be ++ // Note: The following user_agent_session_* metrics are implemented as Gauge ++ // types even though they semantically represent cumulative counters. This is ++ // because they are periodically synchronized from external counter sources ++ // (OpenSSL's built-in session cache) and need to be "set" to specific values ++ // rather than incremented. From a monitoring perspective, these should be + // treated as counters for calculating rates. + Metrics::Gauge::AtomicType *user_agent_session_hit = nullptr; + Metrics::Gauge::AtomicType *user_agent_session_miss = nullptr; + Metrics::Gauge::AtomicType *user_agent_session_timeout = nullptr; + Metrics::Gauge::AtomicType *user_agent_sessions = nullptr; }; extern SSLStatsBlock ssl_rsb; diff --cc src/iocore/net/TLSSessionResumptionSupport.cc index 21d5a02c20,1fac030a7c..1bd93bcc64 --- a/src/iocore/net/TLSSessionResumptionSupport.cc +++ b/src/iocore/net/TLSSessionResumptionSupport.cc @@@ -141,6 -158,62 +158,12 @@@ TLSSessionResumptionSupport::getSSLCurv return this->_sslCurveNID; } + std::string_view + TLSSessionResumptionSupport::getSSLGroupName() const + { + return this->_sslGroupName; + } + -SSL_SESSION * -TLSSessionResumptionSupport::getSession(SSL *ssl, const unsigned char *id, int len, int *copy) -{ - SSLSessionID sid(id, len); - - *copy = 0; - if (diags()->on()) { - static DbgCtl dbg_ctl("ssl.session_cache.get"); - if (dbg_ctl.tag_on()) { - char printable_buf[(len * 2) + 1]; - sid.toString(printable_buf, sizeof(printable_buf)); - DbgPrint(dbg_ctl, "ssl_get_cached_session cached session '%s' context %p", printable_buf, SSL_get_SSL_CTX(ssl)); - } - } - - APIHook *hook = SSLAPIHooks::instance()->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK)); - while (hook) { - hook->invoke(TS_EVENT_SSL_SESSION_GET, &sid); - hook = hook->m_link.next; - } - - SSL_SESSION *session = nullptr; - ssl_session_cache_exdata *exdata = nullptr; - if (session_cache->getSession(sid, &session, &exdata)) { - ink_assert(session); - ink_assert(exdata); - - // Double check the timeout - if (is_ssl_session_timed_out(session)) { - Metrics::Counter::increment(ssl_rsb.session_cache_miss); - Metrics::Counter::increment(ssl_rsb.session_cache_timeout); -// Due to bug in openssl, the timeout is checked, but only removed -// from the openssl built-in hash table. The external remove cb is not called -#if 0 // This is currently eliminated, since it breaks things in odd ways (see TS-3710) - ssl_rm_cached_session(SSL_get_SSL_CTX(ssl), session); -#endif - SSL_SESSION_free(session); - session = nullptr; - } else { - Metrics::Counter::increment(ssl_rsb.session_cache_hit); - this->_setResumptionType(ResumptionType::RESUMED_FROM_SESSION_CACHE, !IS_RESUMED_ORIGIN_SESSION); - this->_setSSLCurveNID(exdata->curve); - this->_setSSLGroupName(exdata->group_name); - } - } else { - Metrics::Counter::increment(ssl_rsb.session_cache_miss); - } - return session; -} - std::shared_ptr<SSL_SESSION> TLSSessionResumptionSupport::getOriginSession(const std::string &lookup_key) {
