Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 54a1dcb1bb788035ca8bc5b98672b18ed7490060^! / . / src / xprt_quic.c
commit54a1dcb1bb788035ca8bc5b98672b18ed7490060[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Mon Apr 11 11:57:35 2022 +0200
committerWilly Tarreau <w@1wt.eu>Mon Apr 11 19:33:04 2022 +0200
treeac895dca080ea684ed16d18f6c0b5346a0ca4e80
parent939b0bf866b349391734dcb29d730bf9057e8d7d [diff] [blame]
MEDIUM: xprt-quic: implement get_ssl_sock_ctx()

By being able to return the ssl_sock_ctx, we're now enabling the whole
set of SSL sample fetch methods to work on the current SSL context of
the QUIC connection, as seen in the following test showing a request
forwarded to an HTTP/1 server with plenty of SSL headers filled:

00000001:decrypt.clireq[000f:ffffffff]: GET / HTTP/1.1
00000001:decrypt.clihdr[000f:ffffffff]: host: localhost
00000001:decrypt.clihdr[000f:ffffffff]: user-agent: nghttp3/ngtcp2 client
00000001:decrypt.clihdr[000f:ffffffff]: x-src: 127.0.0.1
00000001:decrypt.clihdr[000f:ffffffff]: x-dst: 127.0.0.4
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_serial: D16197E7D3E634E9
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_key_alg: rsaEncryption
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_sig_alg: RSA-SHA1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc: 1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_has_sni: 1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_sni: blah
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alpn: h3
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_protocol: TLSv1.3
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_cipher: TLS_AES_256_GCM_SHA384
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alg_keysize: 256
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_use_keysize: 256
00000001:decrypt.clihdr[000f:ffffffff]: x-forwarded-for: 127.0.0.1

The code is trivial, but this is marked as medium as there's always
the risk that some of the callable functions do not like being called
on such SSL contexts.

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index d675d16..0565f79 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c

@@ -5759,6 +5759,14 @@
 	return 1;
 }
 
+static struct ssl_sock_ctx *qc_get_ssl_sock_ctx(struct connection *conn)
+{
+	if (!conn || conn->xprt != xprt_get(XPRT_QUIC) || !conn->qc || !conn->xprt_ctx)
+		return NULL;
+
+	return conn->qc->xprt_ctx;
+}
+
 /* transport-layer operations for QUIC connections. */
 static struct xprt_ops ssl_quic = {
 	.close    = quic_close,
@@ -5769,6 +5777,7 @@
 	.prepare_bind_conf = ssl_sock_prepare_bind_conf,
 	.destroy_bind_conf = ssl_sock_destroy_bind_conf,
 	.get_alpn = ssl_sock_get_alpn,
+	.get_ssl_sock_ctx = qc_get_ssl_sock_ctx,
 	.name     = "QUIC",
 };