You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2021/11/08 23:28:17 UTC
[trafficserver] branch 9.2.x updated: Adds new API:
TSVConnSslSniGet (#8313)
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.2.x by this push:
new e4d510e Adds new API: TSVConnSslSniGet (#8313)
e4d510e is described below
commit e4d510ecf222f994ffe3c692f6e987482ed2bbf9
Author: Randall Meyer <rr...@apache.org>
AuthorDate: Tue Oct 19 14:37:08 2021 -0700
Adds new API: TSVConnSslSniGet (#8313)
(cherry picked from commit ed66e7d847cdbb9cce87f6b8871b626cf4de0114)
---
.../api/functions/TSVConnSslSniGet.en.rst | 33 ++++++++++++++++++++++
include/ts/ts.h | 1 +
src/traffic_server/InkAPI.cc | 19 +++++++++++++
tests/gold_tests/tls/tls_hooks_verify.test.py | 3 +-
tests/tools/plugins/ssl_verify_test.cc | 4 +++
5 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst b/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst
new file mode 100644
index 0000000..4214366
--- /dev/null
+++ b/doc/developer-guide/api/functions/TSVConnSslSniGet.en.rst
@@ -0,0 +1,33 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed
+ with this work for additional information regarding copyright
+ ownership. The ASF licenses this file to you under the Apache
+ License, Version 2.0 (the "License"); you may not use this file
+ except in compliance with the License. You may obtain a copy of
+ the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied. See the License for the specific language governing
+ permissions and limitations under the License.
+
+
+TSVConnSslSniGet
+================
+
+Synopsis
+--------
+
+.. code-block:: cpp
+
+ #include <ts/ts.h>
+
+.. c:function:: const char TSVConnSslSniGet(TSVConn sslp, int *length)
+
+
+Description
+-----------
+Get the SNI (Server Name Indication) that corresponds to SSL connection :arg:`sslp`.
diff --git a/include/ts/ts.h b/include/ts/ts.h
index d2d216b..fd77272 100644
--- a/include/ts/ts.h
+++ b/include/ts/ts.h
@@ -1325,6 +1325,7 @@ tsapi int TSVConnIsSsl(TSVConn sslp);
/* Returns 1 if a certificate was provided in the TLS handshake, 0 otherwise.
*/
tsapi int TSVConnProvidedSslCert(TSVConn sslp);
+tsapi const char *TSVConnSslSniGet(TSVConn sslp, int *length);
tsapi TSSslSession TSSslSessionGet(const TSSslSessionID *session_id);
tsapi int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr);
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 1e86f85..0b0b987 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -9455,6 +9455,25 @@ TSVConnSslConnectionGet(TSVConn sslp)
return ssl;
}
+const char *
+TSVConnSslSniGet(TSVConn sslp, int *length)
+{
+ char const *server_name = nullptr;
+ NetVConnection *vc = reinterpret_cast<NetVConnection *>(sslp);
+
+ if (vc == nullptr) {
+ return nullptr;
+ }
+
+ server_name = vc->get_server_name();
+
+ if (length) {
+ *length = server_name ? strlen(server_name) : 0;
+ }
+
+ return server_name;
+}
+
tsapi TSSslVerifyCTX
TSVConnSslVerifyCTXGet(TSVConn sslp)
{
diff --git a/tests/gold_tests/tls/tls_hooks_verify.test.py b/tests/gold_tests/tls/tls_hooks_verify.test.py
index a60146d..7df8ec0 100644
--- a/tests/gold_tests/tls/tls_hooks_verify.test.py
+++ b/tests/gold_tests/tls/tls_hooks_verify.test.py
@@ -92,7 +92,7 @@ tr3.Processes.Default.Command = "curl --resolve \"bar.com:{0}:127.0.0.1\" -k ht
tr3.Processes.Default.ReturnCode = 0
tr3.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could Not Connect", "Curl attempt should have failed")
-# Over riding the built in ERROR check since we expect tr2 to fail
+# Overriding the built in ERROR check since we expect tr2 to fail
ts.Disk.diags_log.Content = Testers.ContainsExpression(
"WARNING: TS_EVENT_SSL_VERIFY_SERVER plugin failed the origin certificate check for 127.0.0.1. Action=Terminate SNI=random.com",
"random.com should fail")
@@ -113,3 +113,4 @@ ts.Streams.All += Testers.ContainsExpression(
"Server verify callback 0 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times")
ts.Streams.All += Testers.ContainsExpression(
"Server verify callback 1 [\da-fx]+? - event is good SNI=bar.com error HS", "verify callback happens 2 times")
+ts.Streams.All += Testers.ContainsExpression("Server verify callback SNI APIs match=true", "verify SNI names match")
diff --git a/tests/tools/plugins/ssl_verify_test.cc b/tests/tools/plugins/ssl_verify_test.cc
index d375a07..1cc35ae 100644
--- a/tests/tools/plugins/ssl_verify_test.cc
+++ b/tests/tools/plugins/ssl_verify_test.cc
@@ -61,6 +61,10 @@ CB_server_verify(TSCont cont, TSEvent event, void *edata)
event == TS_EVENT_SSL_VERIFY_SERVER ? "good" : "bad", sni_name,
reenable_event == TS_EVENT_ERROR ? "error HS" : "good HS");
+ int len;
+ const char *method2_name = TSVConnSslSniGet(ssl_vc, &len);
+ TSDebug(PN, "Server verify callback SNI APIs match=%s", 0 == strncmp(method2_name, sni_name, len) ? "true" : "false");
+
// All done, reactivate things
TSVConnReenableEx(ssl_vc, reenable_event);
return TS_SUCCESS;