From 54a1dcb1bb788035ca8bc5b98672b18ed7490060 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 11 Apr 2022 11:57:35 +0200 Subject: [PATCH] MEDIUM: xprt-quic: implement get_ssl_sock_ctx() By being able to return the ssl_sock_ctx, we're now enabling the whole set of SSL sample fetch methods to work on the current SSL context of the QUIC connection, as seen in the following test showing a request forwarded to an HTTP/1 server with plenty of SSL headers filled: 00000001:decrypt.clireq[000f:ffffffff]: GET / HTTP/1.1 00000001:decrypt.clihdr[000f:ffffffff]: host: localhost 00000001:decrypt.clihdr[000f:ffffffff]: user-agent: nghttp3/ngtcp2 client 00000001:decrypt.clihdr[000f:ffffffff]: x-src: 127.0.0.1 00000001:decrypt.clihdr[000f:ffffffff]: x-dst: 127.0.0.4 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_serial: D16197E7D3E634E9 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_key_alg: rsaEncryption 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_sig_alg: RSA-SHA1 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc: 1 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_has_sni: 1 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_sni: blah 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alpn: h3 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_protocol: TLSv1.3 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_cipher: TLS_AES_256_GCM_SHA384 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alg_keysize: 256 00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_use_keysize: 256 00000001:decrypt.clihdr[000f:ffffffff]: x-forwarded-for: 127.0.0.1 The code is trivial, but this is marked as medium as there's always the risk that some of the callable functions do not like being called on such SSL contexts. --- src/xprt_quic.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/xprt_quic.c b/src/xprt_quic.c index d675d16d8..0565f79ce 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -5759,6 +5759,14 @@ static int qc_xprt_start(struct connection *conn, void *ctx) return 1; } +static struct ssl_sock_ctx *qc_get_ssl_sock_ctx(struct connection *conn) +{ + if (!conn || conn->xprt != xprt_get(XPRT_QUIC) || !conn->qc || !conn->xprt_ctx) + return NULL; + + return conn->qc->xprt_ctx; +} + /* transport-layer operations for QUIC connections. */ static struct xprt_ops ssl_quic = { .close = quic_close, @@ -5769,6 +5777,7 @@ static struct xprt_ops ssl_quic = { .prepare_bind_conf = ssl_sock_prepare_bind_conf, .destroy_bind_conf = ssl_sock_destroy_bind_conf, .get_alpn = ssl_sock_get_alpn, + .get_ssl_sock_ctx = qc_get_ssl_sock_ctx, .name = "QUIC", };