Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[tls] add missing built in cipher stat names #14676

Merged
merged 7 commits into from
Jan 13, 2021
Merged

[tls] add missing built in cipher stat names #14676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7631904
add missing ciphers
asraa Jan 12, 2021
f006801
update link
asraa Jan 12, 2021
5064b64
remove aes-ccm
asraa Jan 12, 2021
37251e7
add spelling
asraa Jan 12, 2021
65b9605
fix nit
asraa Jan 12, 2021
1698431
fix test
asraa Jan 12, 2021
0c856cf
fix test
asraa Jan 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions source/extensions/transport_sockets/tls/context_impl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -471,9 +471,10 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c
}

// Add hardcoded cipher suites from the TLS 1.3 spec:
// https://tools.ietf.org/html/rfc8446
// https://tools.ietf.org/html/rfc8446#appendix-B.4
// AES-CCM cipher suites are removed (no BoringSSL support).
stat_name_set_->rememberBuiltins(
{"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256"});
{"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"});

// Curves from
// https://github.com/google/boringssl/blob/f4d8b969200f1ee2dd872ffb85802e6a0976afe7/ssl/ssl_key_share.cc#L384
Expand Down
21 changes: 13 additions & 8 deletions test/extensions/transport_sockets/tls/context_impl_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1977,11 +1977,16 @@ class SslContextStatsTest : public SslContextImplTest {
TEST_F(SslContextStatsTest, IncOnlyKnownCounters) {
// Incrementing a value for a cipher that is part of the configuration works, and
// we'll be able to find the value in the stats store.
context_->incCounter("ssl.ciphers", "ECDHE-ECDSA-AES256-GCM-SHA384");
Stats::CounterOptConstRef cipher =
store_.findCounterByString("ssl.ciphers.ECDHE-ECDSA-AES256-GCM-SHA384");
ASSERT_TRUE(cipher.has_value());
EXPECT_EQ(1, cipher->get().value());
for (const auto& cipher :
{"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"}) {
// Test supported built-in TLS v1.3 cipher suites
// https://tools.ietf.org/html/rfc8446#appendix-B.4.
context_->incCounter("ssl.ciphers", cipher);
Stats::CounterOptConstRef stat =
store_.findCounterByString(absl::StrCat("ssl.ciphers.", cipher));
ASSERT_TRUE(stat.has_value());
EXPECT_EQ(1, stat->get().value());
}

// Incrementing a stat for a random unknown cipher does not work. A
// rate-limited error log message will also be generated but that is hard to
Expand All @@ -1995,9 +2000,9 @@ TEST_F(SslContextStatsTest, IncOnlyKnownCounters) {
// fallback registration does not occur. So we test for the fallback only in
// release builds.
#ifdef NDEBUG
cipher = store_.findCounterByString("ssl.ciphers.fallback");
ASSERT_TRUE(cipher.has_value());
EXPECT_EQ(1, cipher->get().value());
Stats::CounterOptConstRef stat = store_.findCounterByString("ssl.ciphers.fallback");
ASSERT_TRUE(stat.has_value());
EXPECT_EQ(1, stat->get().value());
#endif
}

Expand Down
1 change: 1 addition & 0 deletions tools/spelling/spelling_dictionary.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ STATNAME
SkyWalking
TIDs
ceil
CCM
CHACHA
CHLO
CHMOD
Expand Down