Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 2e3cdf87e73e50ddf2d4b915089d0598a45815ee^! / .
commit2e3cdf87e73e50ddf2d4b915089d0598a45815ee[log] [tgz]
authorEd Tanous <ed@tanous.net>Fri Aug 01 09:49:35 2025 -0700
committerEd Tanous <ed@tanous.net>Wed Aug 13 15:36:53 2025 +0000
treecddc4946b6635e8b26b0a7cec397d2b8e7b45848
parent834d99ba6b7b06b73378ea62f56f0b25cf80e1ec [diff]
Enable Mutual TLS for http2 connections

Passing the TLS-provided credentials from the HTTP connection to the
http2 connection got missed, and appears to break mutual TLS for http2
connections.  Pass the credentials.

Tested: Mutual TLS is now functional on http2 connections as shown in
the next patch.

Change-Id: Ia2bbcd5383dae859baa96908b76f221b9c74632c
Signed-off-by: Ed Tanous <etanous@nvidia.com>

diff --git a/http/http2_connection.hpp b/http/http2_connection.hpp
index bb9f3d5..aeb46ab 100644
--- a/http/http2_connection.hpp
+++ b/http/http2_connection.hpp

@@ -65,13 +65,13 @@
     using self_type = HTTP2Connection<Adaptor, Handler>;
 
   public:
-    HTTP2Connection(boost::asio::ssl::stream<Adaptor>&& adaptorIn,
-                    Handler* handlerIn,
-                    std::function<std::string()>& getCachedDateStrF,
-                    HttpType httpTypeIn) :
+    HTTP2Connection(
+        boost::asio::ssl::stream<Adaptor>&& adaptorIn, Handler* handlerIn,
+        std::function<std::string()>& getCachedDateStrF, HttpType httpTypeIn,
+        const std::shared_ptr<persistent_data::UserSession>& mtlsSessionIn) :
         httpType(httpTypeIn), adaptor(std::move(adaptorIn)),
         ngSession(initializeNghttp2Session()), handler(handlerIn),
-        getCachedDateStr(getCachedDateStrF)
+        getCachedDateStr(getCachedDateStrF), mtlsSession(mtlsSessionIn)
     {}
 
     void start()
@@ -307,7 +307,7 @@
         if constexpr (!BMCWEB_INSECURE_DISABLE_AUTH)
         {
             thisReq.session = crow::authentication::authenticate(
-                {}, asyncResp->res, thisReq.method(), thisReq.req, nullptr);
+                {}, asyncResp->res, thisReq.method(), thisReq.req, mtlsSession);
             if (!crow::authentication::isOnAllowlist(thisReq.url().path(),
                                                      thisReq.method()) &&
                 thisReq.session == nullptr)
@@ -659,6 +659,8 @@
     Handler* handler;
     std::function<std::string()>& getCachedDateStr;
 
+    std::shared_ptr<persistent_data::UserSession> mtlsSession;
+
     using std::enable_shared_from_this<
         HTTP2Connection<Adaptor, Handler>>::shared_from_this;
 

diff --git a/http/http_connection.hpp b/http/http_connection.hpp
index 5001c9e..8f03e3e 100644
--- a/http/http_connection.hpp
+++ b/http/http_connection.hpp

@@ -285,7 +285,8 @@
     void upgradeToHttp2()
     {
         auto http2 = std::make_shared<HTTP2Connection<Adaptor, Handler>>(
-            std::move(adaptor), handler, getCachedDateStr, httpType);
+            std::move(adaptor), handler, getCachedDateStr, httpType,
+            mtlsSession);
         if (http2settings.empty())
         {
             http2->start();

diff --git a/test/http/http2_connection_test.cpp b/test/http/http2_connection_test.cpp
index 4009e44..117ae45 100644
--- a/test/http/http2_connection_test.cpp
+++ b/test/http/http2_connection_test.cpp

@@ -130,7 +130,7 @@
     boost::asio::ssl::context sslCtx(boost::asio::ssl::context::tls_server);
     auto conn = std::make_shared<HTTP2Connection<TestStream, FakeHandler>>(
         boost::asio::ssl::stream<TestStream>(std::move(stream), sslCtx),
-        &handler, date, HttpType::HTTP);
+        &handler, date, HttpType::HTTP, nullptr);
     conn->start();
 
     std::string_view expectedPrefix =