Use SSL_get_all_group_names for BoringSSL

apache · Nov 6, 2024 · 5b48887 · 5b48887
1 parent 245a01e
commit 5b48887
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 34 deletions.
diff --git a/src/iocore/net/SSLStats.cc b/src/iocore/net/SSLStats.cc
@@ -32,51 +32,76 @@
 
 SSLStatsBlock                                                   ssl_rsb;
 std::unordered_map<std::string, Metrics::Counter::AtomicType *> cipher_map;
-std::unordered_map<int, Metrics::Counter::AtomicType *>         tls_group_map;
+
+#ifdef OPENSSL_IS_BORINGSSL
+std::unordered_map<std::string, Metrics::Counter::AtomicType *> tls_group_map;
+#elif defined(SSL_get_negotiated_group)
+std::unordered_map<int, Metrics::Counter::AtomicType *> tls_group_map;
+#endif
 
 namespace
 {
 DbgCtl dbg_ctl_ssl{"ssl"};
 
 #if defined(OPENSSL_IS_BORINGSSL) || defined(SSL_get_negotiated_group)
 
+template <typename T>
+void
+add_group_stat(T key, const std::string &name)
+{
+  // If not already registered ...
+  if (tls_group_map.find(key) == tls_group_map.end()) {
+    Metrics::Counter::AtomicType *metric = Metrics::Counter::createPtr("proxy.process.ssl.group.user_agent." + name);
+
+    tls_group_map.emplace(key, metric);
+    Dbg(dbg_ctl_ssl, "registering SSL group metric '%s'", name.c_str());
+  }
+}
+
+#endif // OPENSSL_IS_BORINGSSL or SSL_get_negotiated_group
+
+#if not defined(OPENSSL_IS_BORINGSSL) and defined(SSL_get_negotiated_group) // OPENSSL 3.x
+
 struct TLSGroup {
   int         nid;
   std::string name;
 };
 
 // NID and Group table. Some groups are not defined by some library.
 constexpr TLSGroup TLS_GROUPS[] = {
-  {NID_X9_62_prime256v1, "P-256"         },
-  {NID_secp384r1,        "P-384"         },
-  {NID_secp521r1,        "P-521"         },
-  {NID_X25519,           "X25519"        },
+  {SSL_GROUP_STAT_OTHER_KEY, "OTHER"         },
+  {NID_X9_62_prime256v1,     "P-256"         },
+  {NID_secp384r1,            "P-384"         },
+  {NID_secp521r1,            "P-521"         },
+  {NID_X25519,               "X25519"        },
 #ifdef NID_secp224r1
-  {NID_secp224r1,        "P-224"         },
+  {NID_secp224r1,            "P-224"         },
 #endif
 #ifdef NID_X448
-  {NID_X448,             "X448"          },
+  {NID_X448,                 "X448"          },
 #endif
 #ifdef NID_ffdhe2048
-  {NID_ffdhe2048,        "ffdhe2048"     },
+  {NID_ffdhe2048,            "ffdhe2048"     },
 #endif
 #ifdef NID_ffdhe3072
-  {NID_ffdhe3072,        "ffdhe3072"     },
+  {NID_ffdhe3072,            "ffdhe3072"     },
 #endif
 #ifdef NID_ffdhe4096
-  {NID_ffdhe4096,        "ffdhe4096"     },
+  {NID_ffdhe4096,            "ffdhe4096"     },
 #endif
 #ifdef NID_ffdhe6144
-  {NID_ffdhe6144,        "ffdhe6144"     },
+  {NID_ffdhe6144,            "ffdhe6144"     },
 #endif
 #ifdef NID_ffdhe8192
-  {NID_ffdhe8192,        "ffdhe8192"     },
+  {NID_ffdhe8192,            "ffdhe8192"     },
 #endif
 #ifdef NID_X25519MLKEM768
-  {NID_X25519MLKEM768,   "X25519MLKEM768"},
+  {NID_X25519MLKEM768,       "X25519MLKEM768"},
 #endif
 };
-#endif // OPENSSL_IS_BORINGSSL or SSL_get_negotiated_group
+
+#endif // OPENSSL 3.x
+
 } // end anonymous namespace
 
 // ToDo: This gets called once per global sync, for now at least.
@@ -125,18 +150,6 @@ add_cipher_stat(const char *cipherName, const std::string &statName)
   }
 }
 
-static void
-add_group_stat(int nid, const std::string &stat_name)
-{
-  // If not already registered ...
-  if (tls_group_map.find(nid) == tls_group_map.end()) {
-    Metrics::Counter::AtomicType *metric = Metrics::Counter::createPtr(stat_name);
-
-    tls_group_map.emplace(nid, metric);
-    Dbg(dbg_ctl_ssl, "registering SSL group metric '%s'", stat_name.c_str());
-  }
-}
-
 void
 SSLInitializeStatistics()
 {
@@ -227,10 +240,18 @@ SSLInitializeStatistics()
   // Add "OTHER" for ciphers not on the map
   add_cipher_stat(SSL_CIPHER_STAT_OTHER.c_str(), "proxy.process.ssl.cipher.user_agent." + SSL_CIPHER_STAT_OTHER);
 
-#if defined(OPENSSL_IS_BORINGSSL) || defined(SSL_get_negotiated_group)
-  // TLS Groups
+  // TLS Group
+#if defined(OPENSSL_IS_BORINGSSL)
+  size_t                    list_size = SSL_get_all_group_names(nullptr, 0);
+  std::vector<const char *> group_list(list_size);
+  SSL_get_all_group_names(group_list.data(), group_list.size());
+
+  for (const char *name : group_list) {
+    add_group_stat<std::string>(name, name);
+  }
+#elif defined(SSL_get_negotiated_group)
   for (auto group : TLS_GROUPS) {
-    add_group_stat(group.nid, "proxy.process.ssl.group.user_agent." + group.name);
+    add_group_stat<int>(group.nid, group.name);
   }
 #endif // OPENSSL_IS_BORINGSSL or SSL_get_negotiated_group
 

diff --git a/src/iocore/net/SSLStats.h b/src/iocore/net/SSLStats.h
@@ -30,6 +30,8 @@
 
 #include "tsutil/Metrics.h"
 
+#include <openssl/ssl.h>
+
 using ts::Metrics;
 
 // For some odd reason, these have to be initialized with nullptr, because the order
@@ -99,7 +101,13 @@ struct SSLStatsBlock {
 
 extern SSLStatsBlock                                                   ssl_rsb;
 extern std::unordered_map<std::string, Metrics::Counter::AtomicType *> cipher_map;
+
+#if defined(OPENSSL_IS_BORINGSSL)
+extern std::unordered_map<std::string, Metrics::Counter::AtomicType *> tls_group_map;
+#elif defined(SSL_get_negotiated_group)
 extern std::unordered_map<int, Metrics::Counter::AtomicType *>         tls_group_map;
+constexpr int                                                          SSL_GROUP_STAT_OTHER_KEY = 0;
+#endif
 
 // Initialize SSL statistics.
 void SSLInitializeStatistics();

diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
@@ -1087,16 +1087,24 @@ ssl_callback_info(const SSL *ssl, int where, int ret)
       Metrics::Counter::increment(it->second);
     }
 
-#if defined(OPENSSL_IS_BORINGSSL) || defined(SSL_get_negotiated_group)
-    // TLS Group
-#ifdef OPENSSL_IS_BORINGSSL
-    int nid = SSL_get_negotiated_group(ssl);
+#if defined(OPENSSL_IS_BORINGSSL)
+    uint16_t group_id = SSL_get_group_id(ssl);
+    if (group_id != 0) {
+      const char *group_name = SSL_get_group_name(group_id);
+      if (auto it = tls_group_map.find(group_name); it != tls_group_map.end()) {
+        Metrics::Counter::increment(it->second);
+      } else {
+        Warning("Unknown TLS Group");
+      }
+    }
 #elif defined(SSL_get_negotiated_group)
     int nid = SSL_get_negotiated_group(const_cast<SSL *>(ssl));
-#endif
     if (nid != NID_undef) {
       if (auto it = tls_group_map.find(nid); it != tls_group_map.end()) {
         Metrics::Counter::increment(it->second);
+      } else {
+        auto other = tls_group_map.find(SSL_GROUP_STAT_OTHER_KEY);
+        Metrics::Counter::increment(other->second);
       }
     }
 #endif // OPENSSL_IS_BORINGSSL or SSL_get_negotiated_group