mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-04-27 21:43:06 +00:00
BUG/MEDIUM: ssl: Use the early_data API the right way.
We can only read early data if we're a server, and write if we're a client, so don't attempt to mix both. This should be backported to 1.8 and 1.9.
This commit is contained in:
parent
c40efc1919
commit
010941f876
@ -1587,10 +1587,8 @@ int connect_server(struct stream *s)
|
|||||||
(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
|
(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
|
||||||
(cli_conn->flags & CO_FL_EARLY_DATA) &&
|
(cli_conn->flags & CO_FL_EARLY_DATA) &&
|
||||||
!channel_is_empty(si_oc(&s->si[1])) &&
|
!channel_is_empty(si_oc(&s->si[1])) &&
|
||||||
srv_conn->flags & CO_FL_SSL_WAIT_HS) {
|
srv_conn->flags & CO_FL_SSL_WAIT_HS)
|
||||||
srv_conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
|
srv_conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
|
||||||
srv_conn->flags |= CO_FL_EARLY_SSL_HS;
|
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (err != SF_ERR_NONE)
|
if (err != SF_ERR_NONE)
|
||||||
|
@ -5830,7 +5830,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
if (!ctx)
|
if (!ctx)
|
||||||
goto out_error;
|
goto out_error;
|
||||||
|
|
||||||
if (conn->flags & CO_FL_HANDSHAKE)
|
if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_EARLY_SSL_HS))
|
||||||
/* a handshake was requested */
|
/* a handshake was requested */
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
@ -5861,7 +5861,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
if (!SSL_is_init_finished(ctx->ssl)) {
|
if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
|
||||||
unsigned int max_early;
|
unsigned int max_early;
|
||||||
|
|
||||||
if (objt_listener(conn->target))
|
if (objt_listener(conn->target))
|
||||||
@ -5876,7 +5876,6 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
if (try + ctx->sent_early_data > max_early) {
|
if (try + ctx->sent_early_data > max_early) {
|
||||||
try -= (try + ctx->sent_early_data) - max_early;
|
try -= (try + ctx->sent_early_data) - max_early;
|
||||||
if (try <= 0) {
|
if (try <= 0) {
|
||||||
if (!(conn->flags & CO_FL_EARLY_SSL_HS))
|
|
||||||
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
|
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -5885,10 +5884,8 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
if (ret == 1) {
|
if (ret == 1) {
|
||||||
ret = written_data;
|
ret = written_data;
|
||||||
ctx->sent_early_data += ret;
|
ctx->sent_early_data += ret;
|
||||||
if (objt_server(conn->target)) {
|
if (objt_server(conn->target))
|
||||||
conn->flags &= ~CO_FL_EARLY_SSL_HS;
|
|
||||||
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA;
|
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA;
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user