From ed7c9db2a657005fa80eb44593f99dbbf57e6dec Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sun, 9 Sep 2018 22:59:35 +0900
Subject: [PATCH] nghttpx: Add mruby env.tls_handshake_finished

---
 doc/nghttpx.h2r               |  8 ++++++++
 src/shrpx_mruby_module_env.cc | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/doc/nghttpx.h2r b/doc/nghttpx.h2r
index 1c090392..abd06a47 100644
--- a/doc/nghttpx.h2r
+++ b/doc/nghttpx.h2r
@@ -437,6 +437,14 @@ respectively.
 
         Return ALPN identifier negotiated in this connection.
 
+    .. rb:attr_reader:: tls_handshake_finished
+
+        Return true if SSL/TLS handshake has finished.  If it returns
+        false in the request phase hook, the request is received in
+        TLSv1.3 early data (0-RTT) and might be vulnerable to the
+        replay attack.  nghttpx will send Early-Data header field to
+        backend servers to indicate this.
+
 .. rb:class:: Request
 
     Object to represent request from client.  The modification to
diff --git a/src/shrpx_mruby_module_env.cc b/src/shrpx_mruby_module_env.cc
index 9a7c3640..b3ed365d 100644
--- a/src/shrpx_mruby_module_env.cc
+++ b/src/shrpx_mruby_module_env.cc
@@ -397,6 +397,18 @@ mrb_value env_get_alpn(mrb_state *mrb, mrb_value self) {
 }
 } // namespace
 
+namespace {
+mrb_value env_get_tls_handshake_finished(mrb_state *mrb, mrb_value self) {
+  auto data = static_cast<MRubyAssocData *>(mrb->ud);
+  auto downstream = data->downstream;
+  auto upstream = downstream->get_upstream();
+  auto handler = upstream->get_client_handler();
+  auto conn = handler->get_connection();
+  return SSL_is_init_finished(conn->tls.ssl) ? mrb_true_value()
+                                             : mrb_false_value();
+}
+} // namespace
+
 void init_env_class(mrb_state *mrb, RClass *module) {
   auto env_class =
       mrb_define_class_under(mrb, module, "Env", mrb->object_class);
@@ -439,6 +451,8 @@ void init_env_class(mrb_state *mrb, RClass *module) {
   mrb_define_method(mrb, env_class, "tls_session_reused",
                     env_get_tls_session_reused, MRB_ARGS_NONE());
   mrb_define_method(mrb, env_class, "alpn", env_get_alpn, MRB_ARGS_NONE());
+  mrb_define_method(mrb, env_class, "tls_handshake_finished",
+                    env_get_tls_handshake_finished, MRB_ARGS_NONE());
 }
 
 } // namespace mruby