RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-11 03:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl: Use the early_data API the right way.

Browse Source 
We can only read early data if we're a server, and write if we're a client,
so don't attempt to mix both.

This should be backported to 1.8 and 1.9.
This commit is contained in:
Olivier Houchard 2019-05-03 20:56:19 +02:00 committed by Olivier Houchard
parent c40efc1919
commit 010941f876
2 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend.c
View File

@ -1587,10 +1587,8 @@ int connect_server(struct stream *s)
(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
(cli_conn->flags & CO_FL_EARLY_DATA) &&
!channel_is_empty(si_oc(&s->si[1])) &&
srv_conn->flags & CO_FL_SSL_WAIT_HS) {
srv_conn->flags & CO_FL_SSL_WAIT_HS)
srv_conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
srv_conn->flags |= CO_FL_EARLY_SSL_HS;
}
#endif
if (err != SF_ERR_NONE)

11
src/ssl_sock.c
View File

@ -5830,7 +5830,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
if (!ctx)
goto out_error;
if (conn->flags & CO_FL_HANDSHAKE)
if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_EARLY_SSL_HS))
/* a handshake was requested */
return 0;
@ -5861,7 +5861,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
}
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
if (!SSL_is_init_finished(ctx->ssl)) {
if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
unsigned int max_early;
if (objt_listener(conn->target))
@ -5876,8 +5876,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
if (try + ctx->sent_early_data > max_early) {
try -= (try + ctx->sent_early_data) - max_early;
if (try <= 0) {
if (!(conn->flags & CO_FL_EARLY_SSL_HS))
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
break;
}
}
@ -5885,10 +5884,8 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
if (ret == 1) {
ret = written_data;
ctx->sent_early_data += ret;
if (objt_server(conn->target)) {
conn->flags &= ~CO_FL_EARLY_SSL_HS;
if (objt_server(conn->target))
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA;
}
}