From 05c0b70166e54d074bd7429c8a4e152594e3ed75 Mon Sep 17 00:00:00 2001 From: Ruiqi Zhou Date: Tue, 26 Jul 2022 10:58:24 +0800 Subject: [PATCH] [+] add encryption option to load balancer cid generator (#212) --- CMakeLists.txt | 1 + cmake/CMakeLists.txt | 1 + include/xquic/xqc_errno.h | 3 + include/xquic/xquic.h | 17 ++ include/xquic/xquic_typedef.h | 3 + scripts/case_test.sh | 15 ++ scripts/xquic.lds | 1 + src/transport/xqc_quic_lb.c | 307 ++++++++++++++++++++++++++++++++++ tests/test_server.c | 56 ++++++- 9 files changed, 397 insertions(+), 7 deletions(-) create mode 100644 src/transport/xqc_quic_lb.c diff --git a/CMakeLists.txt b/CMakeLists.txt index df713dda6..2d0690b54 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -171,6 +171,7 @@ set( "src/transport/xqc_utils.c" "src/transport/xqc_defs.c" "src/transport/xqc_transport_params.c" + "src/transport/xqc_quic_lb.c" ) # TLS source diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt index d7b3a573c..c9036e14d 100644 --- a/cmake/CMakeLists.txt +++ b/cmake/CMakeLists.txt @@ -172,6 +172,7 @@ set( "src/transport/xqc_utils.c" "src/transport/xqc_defs.c" "src/transport/xqc_transport_params.c" + "src/transport/xqc_quic_lb.c" ) # TLS source diff --git a/include/xquic/xqc_errno.h b/include/xquic/xqc_errno.h index f35262fd9..fd4af95cc 100644 --- a/include/xquic/xqc_errno.h +++ b/include/xquic/xqc_errno.h @@ -117,6 +117,9 @@ typedef enum { XQC_EMP_INVALID_FRAME = 654, /* Multipath - invalid frame */ XQC_EMP_INVALID_QOE_SIGNAL = 660, /* Multipath - invalid qoe signal */ + XQC_EENCRYPT_LB_CID = 670, /* load balance connection ID encryption error */ + XQC_EENCRYPT_AES_128_ECB = 671, /* aes_128_ecb algorithm error */ + XQC_E_MAX, } xqc_transport_error_t; diff --git a/include/xquic/xquic.h b/include/xquic/xquic.h index 17effda24..0c927c172 100644 --- a/include/xquic/xquic.h +++ b/include/xquic/xquic.h @@ -1163,6 +1163,23 @@ xqc_int_t xqc_conn_continue_send(xqc_engine_t *engine, const xqc_cid_t *cid); XQC_EXPORT_PUBLIC_API xqc_conn_stats_t xqc_conn_get_stats(xqc_engine_t *engine, const xqc_cid_t *cid); +/** + * @brief load balance cid encryption. + * According to Draft : https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers-13#section-4.3.2 + * @param enc_len plaintext length. + * @param cid_buf the plaintext to be encrypted. + * @param out_buf the ciphertext of the plaintext encrypted. + * @param out_buf_len the length of the ciphertext to be encrypted. + * @param lb_cid_key encryption secret. + * @param lb_cid_key_len secret length. + * @param engine engine from `xqc_engine_create` + * @return negative for failed, 0 for the success. + * + * The length of cid_buf must not exceed the maximum length of the cid (20 byte), the length of out_buf should be no less than cid_buf_length. + * The length of lb_cid_key should be exactly 16 bytes. + */ +XQC_EXPORT_PUBLIC_API +xqc_int_t xqc_lb_cid_encryption(uint8_t *cid_buf, size_t enc_len, uint8_t *out_buf, size_t out_buf_len, uint8_t *lb_cid_key, size_t lb_cid_key_len, xqc_engine_t *engine); #ifdef __cplusplus } diff --git a/include/xquic/xquic_typedef.h b/include/xquic/xquic_typedef.h index 009948e96..a1c4deef3 100644 --- a/include/xquic/xquic_typedef.h +++ b/include/xquic/xquic_typedef.h @@ -109,6 +109,9 @@ typedef uint8_t xqc_bool_t; #define XQC_MAX_CID_LEN 20 #define XQC_MIN_CID_LEN 4 +/* restrictions of key length in lb cid encryption */ +#define XQC_LB_CID_KEY_LEN 16 + typedef struct xqc_cid_s { uint8_t cid_len; uint8_t cid_buf[XQC_MAX_CID_LEN]; diff --git a/scripts/case_test.sh b/scripts/case_test.sh index 1a2907cf1..d7edb2039 100755 --- a/scripts/case_test.sh +++ b/scripts/case_test.sh @@ -1035,6 +1035,21 @@ else case_print_result "load_balancer_cid_generate" "fail" fi +clear_log +killall test_server 2> /dev/null +echo -e "load balancer cid generate with encryption...\c" +./test_server -l d -e -S "server_id_0" -E > /dev/null & +sleep 1 +./test_client -s 1024000 -l d -t 1 >> clog +result=`grep "|lb cid encrypted|" slog` +errlog=`grep_err_log` +if [ -z "$errlog" ] && [ "$result" != "" ]; then + echo ">>>>>>>> pass:1" + case_print_result "load_balancer_cid_generate_with_encryption" "pass" +else + echo ">>>>>>>> pass:0" + case_print_result "load_balancer_cid_generate_with_encryption" "fail" +fi clear_log echo -e "set cipher suites ...\c" diff --git a/scripts/xquic.lds b/scripts/xquic.lds index 632e0c25d..f3f6cc4a2 100644 --- a/scripts/xquic.lds +++ b/scripts/xquic.lds @@ -67,6 +67,7 @@ XQUIC_VERS_1.0 { xqc_h3_request_finish; xqc_now; xqc_h3_engine_set_qpack_compat_duplicate; + xqc_lb_cid_encryption; local: *; }; diff --git a/src/transport/xqc_quic_lb.c b/src/transport/xqc_quic_lb.c new file mode 100644 index 000000000..8014de04a --- /dev/null +++ b/src/transport/xqc_quic_lb.c @@ -0,0 +1,307 @@ +#include +#include +#include +#include "src/transport/xqc_engine.h" + + +#define XQC_MAX_TRUNCATE_LEN 128 +#define XQC_EN_SINGLE_PASS_ENCRYPTION_LEN 16 +#define XQC_FIRST_OCTET 1 + +/* Each encrypted CID creates and releases a cipher ctx, which may occupies cpu resources a lot. It should be optimaized in the future.*/ +xqc_int_t +xqc_cid_encryption_aes_128_ecb(unsigned char *plaintext, size_t plaintext_len, uint8_t *ciphertext, size_t ciphertext_len, uint8_t *key, size_t key_len, xqc_engine_t *engine) +{ + xqc_int_t update_len = 0, final_len = 0; + xqc_log_t *log = engine->log; + + if (plaintext_len != XQC_EN_SINGLE_PASS_ENCRYPTION_LEN) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid aes_128_ecb encryption parameter plaintext'length illegal(expect = 16)|"); + return -XQC_EPARAM; + } + + if (plaintext_len != ciphertext_len) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid aes_128_ecb encryption parameter plaintext and ciphertext illegal(expect equals in length)|"); + return -XQC_EPARAM; + } + + if (key_len != XQC_LB_CID_KEY_LEN) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid aes_128_ecb encryption parameter key'length illegal(expect = 16)|"); + return -XQC_EPARAM; + } + + + EVP_CIPHER_CTX *cipher_ctx = EVP_CIPHER_CTX_new(); + if (!cipher_ctx) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid aes_128_ecb encryption ctx generate error|"); + EVP_CIPHER_CTX_free(cipher_ctx); + return -XQC_EENCRYPT_AES_128_ECB; + } + + if (!EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_ecb(), NULL, key, NULL)) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid aes_128_ecb encryption init error|"); + EVP_CIPHER_CTX_free(cipher_ctx); + return -XQC_EENCRYPT_AES_128_ECB; + } + + EVP_CIPHER_CTX_set_padding(cipher_ctx, 0); + + if (!EVP_EncryptUpdate(cipher_ctx, ciphertext, &update_len, plaintext, plaintext_len)) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid aes_128_ecb encryption update error|"); + EVP_CIPHER_CTX_free(cipher_ctx); + return -XQC_EENCRYPT_AES_128_ECB; + } + + if (!EVP_EncryptFinal_ex(cipher_ctx, ciphertext + update_len, &final_len)) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid four-aes_128_ecb encryption final error|"); + EVP_CIPHER_CTX_free(cipher_ctx); + return -XQC_EENCRYPT_AES_128_ECB; + } + + EVP_CIPHER_CTX_free(cipher_ctx); + + return XQC_OK; +} + +__uint128_t +xqc_expand_left(__uint128_t left, __uint128_t right) +{ + __uint128_t out = 0; + __uint128_t left_bound = 0xf; + + left_bound <<= 124; + out |= left; + + if (out != 0) { + out <<= (128 - 80); + while ((out & left_bound) == 0){ + out <<= 4; + } + } + out |= right; + return out; +} + +__uint128_t +xqc_expand_right(__uint128_t left, __uint128_t right) +{ + return xqc_expand_left(right, left); +} + +__uint128_t +xqc_n_bit_1(xqc_int_t n) +{ + __uint128_t out = 0; + for (xqc_int_t i = 0; i < n; i++) { + out <<= 1; + out |= 1; + } + return out; +} + +__uint128_t +xqc_truncate_right(__uint128_t in, xqc_int_t cut_len, __uint128_t *out, xqc_engine_t *engine) +{ + xqc_log_t *log = engine->log; + if (cut_len > XQC_MAX_TRUNCATE_LEN) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid xqc_truncate_right parameter `cut_len` overflow(expect <= 128)|"); + return -XQC_EPARAM; + } + __uint128_t flag; + flag = 0; + flag = xqc_n_bit_1(cut_len); + *out = flag & in; + return XQC_OK ; +} + +__uint128_t +xqc_truncate_left(__uint128_t in, xqc_int_t cut_len, __uint128_t *out, xqc_engine_t *engine) +{ + xqc_log_t *log = engine->log; + if (cut_len > XQC_MAX_TRUNCATE_LEN) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid xqc_truncate_left parameter `cut_len` overflow(expect <= 128)|"); + return -XQC_EPARAM; + } + __uint128_t flag; + flag = 0; + flag = xqc_n_bit_1(cut_len); + flag <<= (XQC_MAX_TRUNCATE_LEN - cut_len); + *out = (flag & in) >> (XQC_MAX_TRUNCATE_LEN - cut_len); + return XQC_OK; +} + +void +xqc_array_right_shift(uint8_t *in_out, xqc_int_t bits, xqc_int_t in_out_len) +{ + if (bits == 0) { + return; + } + xqc_int_t i = 0; + while (i < in_out_len) { + /* keep the lowest `bits(int)` bits unchanged when i=0 */ + if (i) { + in_out[i] >>= bits; + } + if (i + 1 < in_out_len) { + uint8_t tmp = xqc_n_bit_1(bits); + tmp = in_out[i + 1] & tmp; + tmp <<= (8 - bits); + in_out[i] |= tmp; + } + i++; + } +} + +xqc_int_t +xqc_cid_encryption_four_pass(uint8_t *in, size_t in_len, uint8_t *out, size_t out_len, uint8_t *key, size_t key_len, xqc_engine_t *engine) +{ + __uint128_t left_0, right_0, left_1, right_1, left_2, right_2; + __uint128_t tmp_out, tmp_exp, tmp_tru; + xqc_int_t bits_per_byte = 8; + xqc_int_t octet_per_128bits = 16; + xqc_int_t left_len_bit, right_len_bit, left_len_byte, right_len_byte; + xqc_int_t shift_offset; + xqc_log_t *log = engine->log; + xqc_int_t ret; + + if (in_len > XQC_MAX_CID_LEN - XQC_FIRST_OCTET) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid four-pass encryption parameter in_lengtn illegal(expect > 0 && <= 19)|"); + return -XQC_EPARAM; + } + + if (out_len < in_len) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid four-pass encryption parameter out_len illegal(expect no less than in_len)|"); + return -XQC_EPARAM; + } + + if (key_len != XQC_LB_CID_KEY_LEN) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error|lb-cid four-pass encryption parameter key'length illegal(expect = 16)|"); + return -XQC_EPARAM; + } + + left_len_bit = right_len_bit = in_len * 4; + left_len_byte = right_len_byte = (in_len + 1) / 2; + shift_offset = right_len_byte * 8 - right_len_bit; + + memset(&left_0, 0, sizeof(left_0)); + memset(&left_1, 0, sizeof(left_1)); + memset(&left_2, 0, sizeof(left_2)); + memset(&right_0, 0, sizeof(right_0)); + memset(&right_1, 0, sizeof(right_1)); + memset(&right_2, 0, sizeof(right_2)); + + memcpy(&left_0, in + right_len_byte - 1, left_len_byte); + left_0 >>= right_len_bit - (right_len_byte - 1) * 8; + memcpy(&right_0, in, right_len_byte); + right_0 &= xqc_n_bit_1(right_len_bit); + + tmp_exp = xqc_expand_left(left_0, 0x01); + ret = xqc_cid_encryption_aes_128_ecb((uint8_t *)&tmp_exp, octet_per_128bits, (uint8_t *)&tmp_out, octet_per_128bits, key, key_len, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass encryption first-pass aes encryption error|%d|", ret); + return ret; + } + ret = xqc_truncate_right(tmp_out, right_len_bit, &tmp_tru, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass encryption first-pass truncate error|%d|", ret); + return ret; + } + right_1 = right_0 ^ tmp_tru; + + tmp_exp = xqc_expand_right(right_1, 0x02); + ret = xqc_cid_encryption_aes_128_ecb((uint8_t *)&tmp_exp, octet_per_128bits, (uint8_t *)&tmp_out, octet_per_128bits, key, key_len, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass second-pass aes encryption error|%d|", ret); + return ret; + } + ret = xqc_truncate_left(tmp_out, left_len_bit, &tmp_tru, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass encryption second-pass truncate error|%d|", ret); + return ret; + } + left_1 = left_0 ^ tmp_tru; + + tmp_exp = xqc_expand_left(left_1, 0x03); + ret = xqc_cid_encryption_aes_128_ecb((uint8_t *)&tmp_exp, octet_per_128bits, (uint8_t *)&tmp_out, octet_per_128bits, key, key_len, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass third-pass aes encryption error|%d|", ret); + return ret; + } + ret = xqc_truncate_right(tmp_out, right_len_bit, &tmp_tru, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass encryption third-pass truncate error|%d|", ret); + return ret; + } + right_2= right_1 ^ tmp_tru; + + tmp_exp = xqc_expand_right(right_2, 0x04); + ret = xqc_cid_encryption_aes_128_ecb((uint8_t *)&tmp_exp, octet_per_128bits, (uint8_t *)&tmp_out, octet_per_128bits, key, key_len, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass fourth-pass aes encryption error|%d|", ret); + return ret; + } + ret = xqc_truncate_left(tmp_out, left_len_bit, &tmp_tru, engine); + if (ret != XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid generate|lb-cid four-pass encryption fourth-pass truncate error|%d|", ret); + return ret; + } + left_2 = left_1 ^ tmp_tru; + + memcpy(out + right_len_byte, &left_2, left_len_byte); + memcpy(out, &right_2, right_len_byte); + /* The lowest right shift byte will overwrite the high-order bits of its right byte, thus the function requires the address of (startbyte - 1) */ + xqc_array_right_shift(out + right_len_byte - 1, shift_offset, left_len_byte + 1); + + return XQC_OK; +} + +/** + * @brief load balance cid encryption. + * According to Draft : https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers-13#section-4.3 + */ +xqc_int_t +xqc_lb_cid_encryption(uint8_t *cid_buf, size_t enc_len, uint8_t *out_buf, size_t out_buf_len, uint8_t *lb_cid_key, size_t lb_cid_key_len, xqc_engine_t *engine) +{ + size_t cid_buf_len = enc_len + XQC_FIRST_OCTET; + + xqc_log_t *log = engine->log; + + if (cid_buf_len > XQC_MAX_CID_LEN) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error| parameter enc_len illegal(expect <= 19)|"); + return -XQC_EPARAM; + } + + if (lb_cid_key_len != XQC_LB_CID_KEY_LEN) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error| parameter lb_cid_key illegal(expect = 16)|"); + return -XQC_EPARAM; + } + + if (out_buf_len < cid_buf_len) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid encryption error| parameter out_buf_len illegal(expect no less than cid_buf_len)|"); + return -XQC_EPARAM; + } + + if (enc_len == XQC_EN_SINGLE_PASS_ENCRYPTION_LEN) { + xqc_int_t res = xqc_cid_encryption_aes_128_ecb(cid_buf + XQC_FIRST_OCTET, enc_len, out_buf + XQC_FIRST_OCTET, enc_len, lb_cid_key, lb_cid_key_len, engine); + if (res < XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid aes_128_ecb encryption error|%d|", res); + return -XQC_EENCRYPT_LB_CID; + } + } else { + xqc_int_t res = xqc_cid_encryption_four_pass(cid_buf + XQC_FIRST_OCTET, enc_len, out_buf + XQC_FIRST_OCTET, enc_len, lb_cid_key, lb_cid_key_len, engine); + if (res < XQC_OK) { + xqc_log(log, XQC_LOG_ERROR, "|lb-cid four-pass encryption error|%d|", res); + return -XQC_EENCRYPT_LB_CID; + } + } + + unsigned char tmp_cid_buf[XQC_MAX_CID_LEN * 2 + 1]; + xqc_hex_dump(tmp_cid_buf, cid_buf, enc_len); + tmp_cid_buf[enc_len * 2] = '\0'; + unsigned char tmp_out_buf[XQC_MAX_CID_LEN * 2 + 1]; + xqc_hex_dump(tmp_out_buf, out_buf, enc_len); + tmp_out_buf[enc_len * 2] = '\0'; + xqc_log(log, XQC_LOG_INFO, "|lb cid encrypted|ori:%s|new:%s|", + tmp_cid_buf, tmp_out_buf); + return XQC_OK; +} \ No newline at end of file diff --git a/tests/test_server.c b/tests/test_server.c index e03923848..011272fab 100644 --- a/tests/test_server.c +++ b/tests/test_server.c @@ -28,6 +28,7 @@ #pragma comment(lib, "Iphlpapi.lib") #endif +#define XQC_FIRST_OCTET 1 int printf_null(const char *format, ...) { @@ -47,12 +48,15 @@ printf_null(const char *format, ...) #define XQC_MAX_LOG_LEN 2048 + typedef struct xqc_quic_lb_ctx_s { uint8_t sid_len; uint8_t sid_buf[XQC_MAX_CID_LEN]; uint8_t conf_id; uint8_t cid_len; uint8_t cid_buf[XQC_MAX_CID_LEN]; + uint8_t lb_cid_key[XQC_LB_CID_KEY_LEN]; + int lb_cid_enc_on; } xqc_quic_lb_ctx_t; @@ -100,6 +104,7 @@ int g_spec_url; int g_test_case; int g_ipv6; int g_batch=0; +int g_lb_cid_encryption_on = 0; char g_write_file[256]; char g_read_file[256]; char g_log_path[256]; @@ -108,7 +113,9 @@ char g_path[256] = "/path/resource"; char g_scheme[8] = "https"; char g_url[256]; char g_sid[XQC_MAX_CID_LEN]; +char g_lb_cid_enc_key[XQC_LB_CID_KEY_LEN]; size_t g_sid_len = 0; +size_t g_lb_cid_enc_key_len = 0; static uint64_t last_snd_ts; @@ -1017,20 +1024,21 @@ static ssize_t xqc_server_cid_generate(const xqc_cid_t *ori_cid, uint8_t *cid_buf, size_t cid_buflen, void *engine_user_data) { ssize_t cid_buf_index = 0, i; - ssize_t cid_len, sid_len; + ssize_t cid_len, sid_len, nonce_len; xqc_quic_lb_ctx_t *quic_lb_ctx; - + xqc_flag_t encrypt_cid_on; + uint8_t out_buf[XQC_MAX_CID_LEN]; quic_lb_ctx = &(ctx.quic_lb_ctx); - cid_len = quic_lb_ctx->cid_len; sid_len = quic_lb_ctx->sid_len; + nonce_len = cid_len - sid_len - XQC_FIRST_OCTET; if (sid_len < 0 || sid_len > cid_len || cid_len > cid_buflen) { return XQC_ERROR; } cid_buf[cid_buf_index] = quic_lb_ctx->conf_id; - cid_buf_index += 1; + cid_buf_index += XQC_FIRST_OCTET; memcpy(cid_buf + cid_buf_index, quic_lb_ctx->sid_buf, sid_len); cid_buf_index += sid_len; @@ -1039,8 +1047,21 @@ xqc_server_cid_generate(const xqc_cid_t *ori_cid, uint8_t *cid_buf, size_t cid_b cid_buf[i] = (uint8_t)rand(); } - /* xqc_log(engine->log, XQC_LOG_DEBUG, "|cid:%s|cid_len:%ud|", xqc_scid_str(cid), cid->cid_len); */ + memcpy(out_buf, cid_buf, cid_len); + + encrypt_cid_on = quic_lb_ctx->lb_cid_enc_on; + if (encrypt_cid_on) { + int res = xqc_lb_cid_encryption(cid_buf, sid_len + nonce_len, out_buf, XQC_MAX_CID_LEN, quic_lb_ctx->lb_cid_key, XQC_LB_CID_KEY_LEN, ctx.engine); + if (res != XQC_OK) { + printf("|xquic|lb-cid encryption error|"); + return -XQC_EENCRYPT_LB_CID; + } + } + + memcpy(cid_buf, out_buf, cid_len); + return cid_len; + } @@ -1052,7 +1073,7 @@ xqc_server_open_log_file(void *engine_user_data) ctx->log_fd = open(g_log_path, (O_WRONLY | O_APPEND | O_CREAT), 0644); if (ctx->log_fd <= 0) { return -1; - } + } return 0; } @@ -1203,6 +1224,8 @@ void usage(int argc, char *argv[]) { " -6 IPv6\n" " -b batch\n" " -S server sid\n" +" -E load balance id encryption on\n" +" -K load balance id encryption key\n" " -o Output log file path, default ./slog\n" , prog); } @@ -1226,7 +1249,7 @@ int main(int argc, char *argv[]) { strncpy(g_log_path, "./slog", sizeof(g_log_path)); int ch = 0; - while ((ch = getopt(argc, argv, "p:ec:Cs:w:r:l:u:x:6bS:o:")) != -1) { + while ((ch = getopt(argc, argv, "p:ec:Cs:w:r:l:u:x:6bS:o:EK:")) != -1) { switch (ch) { case 'p': /* Server port. */ printf("option port :%s\n", optarg); @@ -1302,6 +1325,15 @@ int main(int argc, char *argv[]) { printf("option log path :%s\n", optarg); snprintf(g_log_path, sizeof(g_log_path), optarg); break; + case 'K': /* set lb cid generator's key */ + printf("set lb-cid-generator key \n"); + snprintf(g_lb_cid_enc_key, sizeof(g_lb_cid_enc_key), optarg); + g_lb_cid_enc_key_len = strlen(g_lb_cid_enc_key); + break; + case 'E': /* set lb_cid encryption on */ + printf("set lb-cid encryption on \n"); + g_lb_cid_encryption_on = 1; + break; default: printf("other option :%c\n", ch); usage(argc, argv); @@ -1431,6 +1463,14 @@ int main(int argc, char *argv[]) { /* test server cid negotiate */ if (g_test_case == 1 || g_test_case == 5 || g_test_case == 6 || g_sid_len != 0) { + if (g_lb_cid_enc_key_len == 0) { + int i = 0; + for (i = 0; i < XQC_LB_CID_KEY_LEN; i++) { + g_lb_cid_enc_key[i] = (uint8_t)rand(); + } + + } + callback.cid_generate_cb = xqc_server_cid_generate; config.cid_negotiate = 1; config.cid_len = XQC_MAX_CID_LEN; @@ -1494,6 +1534,8 @@ int main(int argc, char *argv[]) { /* for lb cid generate */ memcpy(ctx.quic_lb_ctx.sid_buf, g_sid, g_sid_len); + memcpy(ctx.quic_lb_ctx.lb_cid_key, g_lb_cid_enc_key, XQC_LB_CID_KEY_LEN); + ctx.quic_lb_ctx.lb_cid_enc_on = g_lb_cid_encryption_on; ctx.quic_lb_ctx.sid_len = g_sid_len; ctx.quic_lb_ctx.conf_id = 0; ctx.quic_lb_ctx.cid_len = XQC_MAX_CID_LEN;