transportsocket: add interface to improve reusable tls session

Signed-off-by: Yuchen Dai <[email protected]>
lambdai · Apr 13, 2024 · 4314fc5 · 4314fc5
1 parent bdff856
commit 4314fc5
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 6 deletions.
diff --git a/envoy/network/transport_socket.h b/envoy/network/transport_socket.h
@@ -279,6 +279,12 @@ class TransportSocketOptions {
    * that are marked as shared with the upstream connection.
    */
   virtual const StreamInfo::FilterState::Objects& downstreamSharedFilterStateObjects() const PURE;
+
+  /**
+   * @return the tag as the hint to select SSL session. This value does not participate the conn
+   * pool key.
+   */
+  virtual absl::optional<uint64_t> sslSessionTag() const PURE;
 };
 
 using TransportSocketOptionsConstSharedPtr = std::shared_ptr<const TransportSocketOptions>;

diff --git a/source/common/network/transport_socket_options_impl.h b/source/common/network/transport_socket_options_impl.h
@@ -36,6 +36,9 @@ class AlpnDecoratingTransportSocketOptions : public TransportSocketOptions {
   const StreamInfo::FilterState::Objects& downstreamSharedFilterStateObjects() const override {
     return inner_options_->downstreamSharedFilterStateObjects();
   }
+  absl::optional<uint64_t> sslSessionTag() const override {
+    return inner_options_->sslSessionTag();
+  }
 
 private:
   const std::vector<std::string> alpn_fallback_;
@@ -51,15 +54,16 @@ class TransportSocketOptionsImpl : public TransportSocketOptions {
       absl::optional<Network::ProxyProtocolData> proxy_proto_options = absl::nullopt,
       StreamInfo::FilterState::ObjectsPtr filter_state_objects =
           std::make_unique<StreamInfo::FilterState::Objects>(),
-      std::unique_ptr<const Http11ProxyInfo>&& proxy_info = nullptr)
+      std::unique_ptr<const Http11ProxyInfo>&& proxy_info = nullptr,
+      absl::optional<uint64_t> ssl_session_tag = absl::nullopt)
       : override_server_name_(override_server_name.empty()
                                   ? absl::nullopt
                                   : absl::optional<std::string>(override_server_name)),
         override_verify_san_list_{std::move(override_verify_san_list)},
         override_alpn_list_{std::move(override_alpn)}, alpn_fallback_{std::move(fallback_alpn)},
         proxy_protocol_options_(proxy_proto_options),
-        filter_state_objects_(std::move(filter_state_objects)), proxy_info_(std::move(proxy_info)) {
-  }
+        filter_state_objects_(std::move(filter_state_objects)), proxy_info_(std::move(proxy_info)),
+        ssl_session_tag_(ssl_session_tag) {}
 
   // Network::TransportSocketOptions
   const absl::optional<std::string>& serverNameOverride() const override {
@@ -86,6 +90,7 @@ class TransportSocketOptionsImpl : public TransportSocketOptions {
   const StreamInfo::FilterState::Objects& downstreamSharedFilterStateObjects() const override {
     return *filter_state_objects_;
   }
+  absl::optional<uint64_t> sslSessionTag() const override { return ssl_session_tag_; }
 
 private:
   const absl::optional<std::string> override_server_name_;
@@ -96,6 +101,7 @@ class TransportSocketOptionsImpl : public TransportSocketOptions {
   const StreamInfo::FilterState::ObjectsPtr filter_state_objects_;
   const StreamInfo::FilterStateSharedPtr filter_state_;
   std::unique_ptr<const Http11ProxyInfo> proxy_info_;
+  const absl::optional<uint64_t> ssl_session_tag_;
 };
 
 class TransportSocketOptionsUtility {

diff --git a/source/common/tls/context_impl.cc b/source/common/tls/context_impl.cc
@@ -684,7 +684,16 @@ ClientContextImpl::ClientContextImpl(Stats::Scope& scope,
               static_cast<ContextImpl*>(SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
           ClientContextImpl* client_context_impl = dynamic_cast<ClientContextImpl*>(context_impl);
           RELEASE_ASSERT(client_context_impl != nullptr, ""); // for Coverity
-          return client_context_impl->newSessionKey(session);
+
+          const auto* transport_socket_options_shared_ptr_ptr =
+              static_cast<const Network::TransportSocketOptionsConstSharedPtr*>(
+                  SSL_get_app_data(ssl));
+          if (transport_socket_options_shared_ptr_ptr == nullptr) {
+            // 0 indicates that the session is not taken ownership of.
+            return 0;
+          }
+          return client_context_impl->newSessionKey(
+              (*transport_socket_options_shared_ptr_ptr)->sslSessionTag(), session);
         });
   }
 }
@@ -771,7 +780,10 @@ ClientContextImpl::newSsl(const Network::TransportSocketOptionsConstSharedPtr& o
   return ssl_con;
 }
 
-int ClientContextImpl::newSessionKey(SSL_SESSION* session) {
+int ClientContextImpl::newSessionKey([[maybe_unused]] absl::optional<uint64_t> session_tag,
+                                     SSL_SESSION* session) {
+  // TODO(lambdai): save the session according to ``session_tag``.
+
   // In case we ever store single-use session key (TLS 1.3),
   // we need to switch to using write/write locks.
   if (SSL_SESSION_should_be_single_use(session)) {

diff --git a/source/common/tls/context_impl.h b/source/common/tls/context_impl.h
@@ -180,7 +180,10 @@ class ClientContextImpl : public ContextImpl, public Envoy::Ssl::ClientContext {
   newSsl(const Network::TransportSocketOptionsConstSharedPtr& options) override;
 
 private:
-  int newSessionKey(SSL_SESSION* session);
+  /**
+   * @return 1 ClientContextImpl retains the reference, 0 otherwise.
+   */
+  int newSessionKey(absl::optional<uint64_t> session_tag, SSL_SESSION* session);
 
   const std::string server_name_indication_;
   const bool allow_renegotiation_;