RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-28 13:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl: Use the early_data API the right way.

Browse Source 
We can only read early data if we're a server, and write if we're a client,
so don't attempt to mix both.

This should be backported to 1.8 and 1.9.
This commit is contained in:
Olivier Houchard 2019-05-03 20:56:19 +02:00 committed by Olivier Houchard
parent c40efc1919
commit 010941f876
2 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend.c
View File

@ -1587,10 +1587,8 @@ int connect_server(struct stream *s)
(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) && (srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
(cli_conn->flags & CO_FL_EARLY_DATA) && (cli_conn->flags & CO_FL_EARLY_DATA) &&
!channel_is_empty(si_oc(&s->si[1])) && !channel_is_empty(si_oc(&s->si[1])) &&
srv_conn->flags & CO_FL_SSL_WAIT_HS) { srv_conn->flags & CO_FL_SSL_WAIT_HS)
srv_conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN); srv_conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
srv_conn->flags |= CO_FL_EARLY_SSL_HS;
}
#endif #endif
if (err != SF_ERR_NONE) if (err != SF_ERR_NONE)

9
src/ssl_sock.c
View File

@ -5830,7 +5830,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
if (!ctx) if (!ctx)
goto out_error; goto out_error;
if (conn->flags & CO_FL_HANDSHAKE) if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_EARLY_SSL_HS))
/* a handshake was requested */ /* a handshake was requested */
return 0; return 0;
@ -5861,7 +5861,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
} }
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) #if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
if (!SSL_is_init_finished(ctx->ssl)) { if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
unsigned int max_early; unsigned int max_early;
if (objt_listener(conn->target)) if (objt_listener(conn->target))
@ -5876,7 +5876,6 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
if (try + ctx->sent_early_data > max_early) { if (try + ctx->sent_early_data > max_early) {
try -= (try + ctx->sent_early_data) - max_early; try -= (try + ctx->sent_early_data) - max_early;
if (try <= 0) { if (try <= 0) {
if (!(conn->flags & CO_FL_EARLY_SSL_HS))
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
break; break;
} }
@ -5885,10 +5884,8 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
if (ret == 1) { if (ret == 1) {
ret = written_data; ret = written_data;
ctx->sent_early_data += ret; ctx->sent_early_data += ret;
if (objt_server(conn->target)) { if (objt_server(conn->target))
conn->flags &= ~CO_FL_EARLY_SSL_HS;
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA; conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA;
}
} }