You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2021/11/08 23:28:17 UTC

[trafficserver] branch 9.2.x updated: Adds new API: TSVConnSslSniGet (#8313)

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.2.x by this push:
     new e4d510e  Adds new API: TSVConnSslSniGet (#8313)
e4d510e is described below

commit e4d510ecf222f994ffe3c692f6e987482ed2bbf9
Author: Randall Meyer <rr...@apache.org>
AuthorDate: Tue Oct 19 14:37:08 2021 -0700

    Adds new API: TSVConnSslSniGet (#8313)
    
    (cherry picked from commit ed66e7d847cdbb9cce87f6b8871b626cf4de0114)
---
 .../api/functions/TSVConnSslSniGet.en.rst          | 33 ++++++++++++++++++++++
 include/ts/ts.h                                    |  1 +
 src/traffic_server/InkAPI.cc                       | 19 +++++++++++++
 tests/gold_tests/tls/tls_hooks_verify.test.py      |  3 +-
 tests/tools/plugins/ssl_verify_test.cc             |  4 +++
 5 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst b/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst
new file mode 100644
index 0000000..4214366
--- /dev/null
+++ b/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst
@@ -0,0 +1,33 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed
+   with this work for additional information regarding copyright
+   ownership.  The ASF licenses this file to you under the Apache
+   License, Version 2.0 (the "License"); you may not use this file
+   except in compliance with the License.  You may obtain a copy of
+   the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied.  See the License for the specific language governing
+   permissions and limitations under the License.
+
+
+TSVConnSslSniGet
+================
+
+Synopsis
+--------
+
+.. code-block:: cpp
+
+    #include <ts/ts.h>
+
+.. c:function:: const char TSVConnSslSniGet(TSVConn sslp, int *length)
+
+
+Description
+-----------
+Get the SNI (Server Name Indication) that corresponds to SSL connection :arg:`sslp`.
diff --git a/include/ts/ts.h b/include/ts/ts.h
index d2d216b..fd77272 100644
--- a/include/ts/ts.h
+++ b/include/ts/ts.h
@@ -1325,6 +1325,7 @@ tsapi int TSVConnIsSsl(TSVConn sslp);
 /* Returns 1 if a certificate was provided in the TLS handshake, 0 otherwise.
  */
 tsapi int TSVConnProvidedSslCert(TSVConn sslp);
+tsapi const char *TSVConnSslSniGet(TSVConn sslp, int *length);
 
 tsapi TSSslSession TSSslSessionGet(const TSSslSessionID *session_id);
 tsapi int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr);
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 1e86f85..0b0b987 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -9455,6 +9455,25 @@ TSVConnSslConnectionGet(TSVConn sslp)
   return ssl;
 }
 
+const char *
+TSVConnSslSniGet(TSVConn sslp, int *length)
+{
+  char const *server_name = nullptr;
+  NetVConnection *vc      = reinterpret_cast<NetVConnection *>(sslp);
+
+  if (vc == nullptr) {
+    return nullptr;
+  }
+
+  server_name = vc->get_server_name();
+
+  if (length) {
+    *length = server_name ? strlen(server_name) : 0;
+  }
+
+  return server_name;
+}
+
 tsapi TSSslVerifyCTX
 TSVConnSslVerifyCTXGet(TSVConn sslp)
 {
diff --git a/tests/gold_tests/tls/tls_hooks_verify.test.py b/tests/gold_tests/tls/tls_hooks_verify.test.py
index a60146d..7df8ec0 100644
--- a/tests/gold_tests/tls/tls_hooks_verify.test.py
+++ b/tests/gold_tests/tls/tls_hooks_verify.test.py
@@ -92,7 +92,7 @@ tr3.Processes.Default.Command = "curl --resolve \"bar.com:{0}:127.0.0.1\" -k  ht
 tr3.Processes.Default.ReturnCode = 0
 tr3.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have failed")
 
-# Over riding the built in ERROR check since we expect tr2 to fail
+# Overriding the built in ERROR check since we expect tr2 to fail
 ts.Disk.diags_log.Content = Testers.ContainsExpression(
     "WARNING: TS_EVENT_SSL_VERIFY_SERVER plugin failed the origin certificate check for 127.0.0.1.  Action=Terminate SNI=random.com",
     "random.com should fail")
@@ -113,3 +113,4 @@ ts.Streams.All += Testers.ContainsExpression(
     "Server verify callback 0 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times")
 ts.Streams.All += Testers.ContainsExpression(
     "Server verify callback 1 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times")
+ts.Streams.All += Testers.ContainsExpression("Server verify callback SNI APIs match=true", "verify SNI names match")
diff --git a/tests/tools/plugins/ssl_verify_test.cc b/tests/tools/plugins/ssl_verify_test.cc
index d375a07..1cc35ae 100644
--- a/tests/tools/plugins/ssl_verify_test.cc
+++ b/tests/tools/plugins/ssl_verify_test.cc
@@ -61,6 +61,10 @@ CB_server_verify(TSCont cont, TSEvent event, void *edata)
           event == TS_EVENT_SSL_VERIFY_SERVER ? "good" : "bad", sni_name,
           reenable_event == TS_EVENT_ERROR ? "error HS" : "good HS");
 
+  int len;
+  const char *method2_name = TSVConnSslSniGet(ssl_vc, &len);
+  TSDebug(PN, "Server verify callback SNI APIs match=%s", 0 == strncmp(method2_name, sni_name, len) ? "true" : "false");
+
   // All done, reactivate things
   TSVConnReenableEx(ssl_vc, reenable_event);
   return TS_SUCCESS;