From bef0372b85c77298fa50a291ce4c16d26c51c268 Mon Sep 17 00:00:00 2001
From: Fei Deng <duke8253@gmail.com>
Date: Mon, 21 Mar 2022 13:42:54 -0500
Subject: [PATCH]  add log format for whether origin TLS connection resumed an
 existing TLS session

---
 doc/admin-guide/logging/formatting.en.rst |  3 +++
 iocore/net/TLSSessionResumptionSupport.cc | 14 +++++++++++++-
 iocore/net/TLSSessionResumptionSupport.h  |  7 +++++--
 proxy/http/HttpSM.cc                      |  4 ++++
 proxy/http/HttpSM.h                       |  1 +
 proxy/logging/Log.cc                      |  5 +++++
 proxy/logging/LogAccess.cc                |  9 +++++++++
 proxy/logging/LogAccess.h                 |  1 +
 8 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/doc/admin-guide/logging/formatting.en.rst b/doc/admin-guide/logging/formatting.en.rst
index 328dfb69f90..20ae0cfb0eb 100644
--- a/doc/admin-guide/logging/formatting.en.rst
+++ b/doc/admin-guide/logging/formatting.en.rst
@@ -636,6 +636,9 @@ cqssu  Client Request SSL Elliptic Curve used by |TS| to communicate with the
 cqssa  Client Request ALPN Protocol ID negotiated with the client.
 pqssl  Proxy Request  Indicates whether the connection from |TS| to the origin
                       was over SSL or not.
+pqssr  Proxy Request  SSL session ticket reused status from |TS| to the origin;
+                      indicates if the current request hit the SSL session ticket
+                      and avoided a full SSL handshake.
 pscert Proxy Request  1 if origin requested certificate from |TS| during TLS
                       handshake but no client certificate was defined. 2 if origin
                       requested certificate from |TS| during TLS handshake and a
diff --git a/iocore/net/TLSSessionResumptionSupport.cc b/iocore/net/TLSSessionResumptionSupport.cc
index 36cfbb5d0af..f2bf82c0d8d 100644
--- a/iocore/net/TLSSessionResumptionSupport.cc
+++ b/iocore/net/TLSSessionResumptionSupport.cc
@@ -122,6 +122,12 @@ TLSSessionResumptionSupport::getSSLSessionCacheHit() const
   return this->_sslSessionCacheHit;
 }
 
+bool
+TLSSessionResumptionSupport::getSSLOriginSessionCacheHit() const
+{
+  return this->_sslOriginSessionCacheHit;
+}
+
 ssl_curve_id
 TLSSessionResumptionSupport::getSSLCurveNID() const
 {
@@ -187,7 +193,7 @@ TLSSessionResumptionSupport::getOriginSession(SSL *ssl, const std::string &looku
       shared_sess.reset();
     } else {
       SSL_INCREMENT_DYN_STAT(ssl_origin_session_cache_hit);
-      this->_setSSLSessionCacheHit(true);
+      this->_setSSLOriginSessionCacheHit(true);
       this->_setSSLCurveNID(curve);
     }
   } else {
@@ -290,6 +296,12 @@ TLSSessionResumptionSupport::_setSSLSessionCacheHit(bool state)
   this->_sslSessionCacheHit = state;
 }
 
+void
+TLSSessionResumptionSupport::_setSSLOriginSessionCacheHit(bool state)
+{
+  this->_sslOriginSessionCacheHit = state;
+}
+
 void
 TLSSessionResumptionSupport::_setSSLCurveNID(ssl_curve_id curve_nid)
 {
diff --git a/iocore/net/TLSSessionResumptionSupport.h b/iocore/net/TLSSessionResumptionSupport.h
index 5f1fa37a91c..fb27ed3a396 100644
--- a/iocore/net/TLSSessionResumptionSupport.h
+++ b/iocore/net/TLSSessionResumptionSupport.h
@@ -48,6 +48,7 @@ class TLSSessionResumptionSupport
                            int enc);
 #endif
   bool getSSLSessionCacheHit() const;
+  bool getSSLOriginSessionCacheHit() const;
   ssl_curve_id getSSLCurveNID() const;
 
   SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int *copy);
@@ -60,8 +61,9 @@ class TLSSessionResumptionSupport
 private:
   static int _ex_data_index;
 
-  bool _sslSessionCacheHit = false;
-  int _sslCurveNID         = NID_undef;
+  bool _sslSessionCacheHit       = false;
+  bool _sslOriginSessionCacheHit = false;
+  int _sslCurveNID               = NID_undef;
 
 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
   int _setSessionInformation(ssl_ticket_key_block *keyblock, SSL *ssl, unsigned char *keyname, unsigned char *iv,
@@ -76,5 +78,6 @@ class TLSSessionResumptionSupport
 #endif
 
   void _setSSLSessionCacheHit(bool state);
+  void _setSSLOriginSessionCacheHit(bool state);
   void _setSSLCurveNID(ssl_curve_id curve_nid);
 };
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index fbecbe70a6b..62649b6dec6 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -6267,6 +6267,10 @@ HttpSM::attach_server_session()
     server_connection_is_ssl = true;
   }
 
+  if (auto tsrs = dynamic_cast<TLSSessionResumptionSupport *>(server_vc)) {
+    server_ssl_reused = tsrs->getSSLOriginSessionCacheHit();
+  }
+
   server_protocol = server_txn->get_protocol_string();
 
   // Initiate a read on the session so that the SM and not
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index 340df6e4bd5..0d66cab71b7 100644
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -546,6 +546,7 @@ class HttpSM : public Continuation, public PluginUserArgs<TS_USER_ARGS_TXN>
   bool client_ssl_reused              = false;
   bool client_connection_is_ssl       = false;
   bool is_internal                    = false;
+  bool server_ssl_reused              = false;
   bool server_connection_is_ssl       = false;
   bool is_waiting_for_full_body       = false;
   bool is_using_post_buffer           = false;
diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc
index c20859353f8..6c5d34b8992 100644
--- a/proxy/logging/Log.cc
+++ b/proxy/logging/Log.cc
@@ -747,6 +747,11 @@ Log::init_fields()
   global_field_list.add(field, false);
   field_symbol_hash.emplace("pqssl", field);
 
+  field = new LogField("proxy_req_ssl_reused", "pqssr", LogField::dINT, &LogAccess::marshal_proxy_req_ssl_reused,
+                       &LogAccess::unmarshal_int_to_str);
+  global_field_list.add(field, false);
+  field_symbol_hash.emplace("pqssr", field);
+
   field = new LogField("proxy_request_all_header_fields", "pqah", LogField::STRING, &LogAccess::marshal_proxy_req_all_header_fields,
                        &LogUtils::unmarshalMimeHdr);
   global_field_list.add(field, false);
diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc
index f5c1a388317..7fe9a9a9ff3 100644
--- a/proxy/logging/LogAccess.cc
+++ b/proxy/logging/LogAccess.cc
@@ -2312,6 +2312,15 @@ LogAccess::marshal_proxy_req_is_ssl(char *buf)
   return INK_MIN_ALIGN;
 }
 
+int
+LogAccess::marshal_proxy_req_ssl_reused(char *buf)
+{
+  if (buf) {
+    marshal_int(buf, m_http_sm->server_ssl_reused ? 1 : 0);
+  }
+  return INK_MIN_ALIGN;
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 
diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h
index 5dba8d8085e..049cd61d890 100644
--- a/proxy/logging/LogAccess.h
+++ b/proxy/logging/LogAccess.h
@@ -189,6 +189,7 @@ class LogAccess
   int marshal_proxy_host_name(char *);             // STR
   int marshal_proxy_host_ip(char *);               // STR
   int marshal_proxy_req_is_ssl(char *);            // INT
+  int marshal_proxy_req_ssl_reused(char *);        // INT
   int marshal_proxy_req_all_header_fields(char *); // STR
 
   //