From 979458520448ae927b31d443d8da118feb80c422 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 5 Dec 2025 10:37:27 +0100
Subject: [PATCH] MINOR: ssl: Store hash of the SNI for cached TLS sessions

For cached TLS sessions, in addition to the SNI itself, its hash is now also
saved. No changes are expected here because this hash is not used for now.

This commit relies on:

  * MINOR: ssl: Add a function to hash SNIs
---
 include/haproxy/server-t.h | 1 +
 src/ssl_sock.c             | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index a665e4e43..2dc27ecc4 100644
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -485,6 +485,7 @@ struct server {
 			unsigned char *ptr;
 			int size;
 			int allocated_size;
+			uint64_t sni_hash; /* Hash of the SNI used for the session */
 			char *sni; /* SNI used for the session */
 			__decl_thread(HA_RWLOCK_T sess_lock);
 		} * reused_sess;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1731b9635..a6d213f56 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4250,12 +4250,16 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess)
 			/* if the new sni is empty or isn' t the same as the old one */
 			if ((!sni) || strcmp(s->ssl_ctx.reused_sess[tid].sni, sni) != 0) {
 				ha_free(&s->ssl_ctx.reused_sess[tid].sni);
-				if (sni)
+				s->ssl_ctx.reused_sess[tid].sni_hash = 0;
+				if (sni) {
 					s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
+					s->ssl_ctx.reused_sess[tid].sni_hash = ssl_sock_sni_hash(ist(sni));
+				}
 			}
 		} else if (sni) {
 			/* if there wasn't an old sni but there is a new one */
 			s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
+			s->ssl_ctx.reused_sess[tid].sni_hash = ssl_sock_sni_hash(ist(sni));
 		}
 #ifdef USE_QUIC
 		/* The selected ALPN is not stored without SSL session. */