MINOR: connection: remove CO_FL_SSL_WAIT_HS from CO_FL_HANDSHAKE

Most places continue to check CO_FL_HANDSHAKE while in fact they should
check CO_FL_HANDSHAKE_NOSSL, which contains all handshakes but the one
dedicated to SSL renegotiation. In fact the SSL layer should be the
only one checking CO_FL_SSL_WAIT_HS, so as to avoid processing data
when a renegotiation is in progress, but other ones randomly include it
without knowing. And ideally it should even be an internal flag that's
not exposed in the connection.

This patch takes CO_FL_SSL_WAIT_HS out of CO_FL_HANDSHAKE, uses this flag
consistently all over the code, and gets rid of CO_FL_HANDSHAKE_NOSSL.

In order to limit the confusion that has accumulated over time, the
CO_FL_SSL_WAIT_HS flag which indicates an ongoing SSL handshake,
possibly used by a renegotiation was moved after the other ones.

diff --git a/include/types/connection.h b/include/types/connection.h
index 22e4ed6e093df6883befdc0aa2753d3944b91ab3..0e98b64a24074a6c08d4ec7f1d61825b5ba520ed 100644 (file)
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -182,18 +182,18 @@ enum {
        CO_FL_WAIT_L6_CONN  = 0x00800000,  /* waiting for L6 to be connected (eg: SSL) */
        CO_FL_WAIT_L4L6     = 0x00C00000,  /* waiting for L4 and/or L6 to be connected */
 
-       /*** All the flags below are used for connection handshakes. Any new
+       /* All the flags below are used for connection handshakes. Any new
         * handshake should be added after this point, and CO_FL_HANDSHAKE
         * should be updated.
         */
        CO_FL_SEND_PROXY    = 0x01000000,  /* send a valid PROXY protocol header */
-       CO_FL_SSL_WAIT_HS   = 0x02000000,  /* wait for an SSL handshake to complete */
-       CO_FL_ACCEPT_PROXY  = 0x04000000,  /* receive a valid PROXY protocol header */
-       CO_FL_ACCEPT_CIP    = 0x08000000,  /* receive a valid NetScaler Client IP header */
+       CO_FL_ACCEPT_PROXY  = 0x02000000,  /* receive a valid PROXY protocol header */
+       CO_FL_ACCEPT_CIP    = 0x04000000,  /* receive a valid NetScaler Client IP header */
 
        /* below we have all handshake flags grouped into one */
-       CO_FL_HANDSHAKE     = CO_FL_SEND_PROXY | CO_FL_SSL_WAIT_HS | CO_FL_ACCEPT_PROXY | CO_FL_ACCEPT_CIP | CO_FL_SOCKS4_SEND | CO_FL_SOCKS4_RECV,
-       CO_FL_HANDSHAKE_NOSSL = CO_FL_SEND_PROXY | CO_FL_ACCEPT_PROXY | CO_FL_ACCEPT_CIP | CO_FL_SOCKS4_SEND | CO_FL_SOCKS4_RECV,
+       CO_FL_HANDSHAKE     = CO_FL_SEND_PROXY | CO_FL_ACCEPT_PROXY | CO_FL_ACCEPT_CIP | CO_FL_SOCKS4_SEND | CO_FL_SOCKS4_RECV,
+
+       CO_FL_SSL_WAIT_HS   = 0x08000000,  /* wait for an SSL handshake to complete */
 
        /* This connection may not be shared between clients */
        CO_FL_PRIVATE       = 0x10000000,

diff --git a/src/backend.c b/src/backend.c
index 809fdd0a4d6743ca061a7405d27d4ef429fea113..97a62eb464c7b9b81abcffa7ac784a0848367c61 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -1471,7 +1471,7 @@ int connect_server(struct stream *s)
        /* The CO_FL_SEND_PROXY flag may have been set by the connect method,
         * if so, add our handshake pseudo-XPRT now.
         */
-       if ((srv_conn->flags & CO_FL_HANDSHAKE_NOSSL)) {
+       if ((srv_conn->flags & CO_FL_HANDSHAKE)) {
                if (xprt_add_hs(srv_conn) < 0) {
                        conn_full_close(srv_conn);
                        return SF_ERR_INTERNAL;

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d61e872004fb19e2d97bd15ccd27a65c07105a33..dafd258e870bf6580ba480b2649c5a90e2489281 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6517,7 +6517,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
        }
 #endif
 
-       if (conn->flags & CO_FL_HANDSHAKE)
+       if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_SSL_WAIT_HS))
                /* a handshake was requested */
                return 0;
 
@@ -6628,7 +6628,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
        if (!ctx)
                goto out_error;
 
-       if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_EARLY_SSL_HS))
+       if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_SSL_WAIT_HS | CO_FL_EARLY_SSL_HS))
                /* a handshake was requested */
                return 0;
 
@@ -6830,7 +6830,7 @@ static void ssl_sock_shutw(struct connection *conn, void *xprt_ctx, int clean)
 {
        struct ssl_sock_ctx *ctx = xprt_ctx;
 
-       if (conn->flags & CO_FL_HANDSHAKE)
+       if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_SSL_WAIT_HS))
                return;
        if (!clean)
                /* don't sent notify on SSL_shutdown */

diff --git a/src/tcp_rules.c b/src/tcp_rules.c
index aa713c59e016c453f68db5ce8af228e2970242f2..f56129ae135c585d843c5b447d4a11d0967e3ec4 100644 (file)
--- a/src/tcp_rules.c
+++ b/src/tcp_rules.c
@@ -468,7 +468,7 @@ int tcp_exec_l4_rules(struct session *sess)
                                goto end;
                        }
                        else if (rule->action == ACT_TCP_EXPECT_PX) {
-                               if (!(conn->flags & (CO_FL_HANDSHAKE_NOSSL))) {
+                               if (!(conn->flags & CO_FL_HANDSHAKE)) {
                                        if (xprt_add_hs(conn) < 0) {
                                                result = 0;
                                                goto end;
@@ -477,7 +477,7 @@ int tcp_exec_l4_rules(struct session *sess)
                                conn->flags |= CO_FL_ACCEPT_PROXY;
                        }
                        else if (rule->action == ACT_TCP_EXPECT_CIP) {
-                               if (!(conn->flags & (CO_FL_HANDSHAKE_NOSSL))) {
+                               if (!(conn->flags & CO_FL_HANDSHAKE)) {
                                        if (xprt_add_hs(conn) < 0) {
                                                result = 0;
                                                goto end;

diff --git a/src/xprt_handshake.c b/src/xprt_handshake.c
index 8cd63a12f0fe0c0fd8d820259e75936e2cbfbf3c..89446af37fe884360b21f9a4e48d907099b20a0a 100644 (file)
--- a/src/xprt_handshake.c
+++ b/src/xprt_handshake.c
@@ -82,7 +82,7 @@ out:
         * connection error
         * */
        if ((conn->flags & CO_FL_ERROR) ||
-           !(conn->flags & CO_FL_HANDSHAKE_NOSSL)) {
+           !(conn->flags & CO_FL_HANDSHAKE)) {
                int ret = 0;
                int woke = 0;
                int was_conn_ctx = 0;
@@ -185,7 +185,7 @@ static void xprt_handshake_close(struct connection *conn, void *xprt_ctx)
                 * to fallback to the original XPRT to re-initiate the
                 * connection.
                 */
-               conn->flags &= ~CO_FL_HANDSHAKE_NOSSL;
+               conn->flags &= ~CO_FL_HANDSHAKE;
                if (conn->xprt == xprt_get(XPRT_HANDSHAKE))
                        conn->xprt = xprt_get(XPRT_RAW);
                tasklet_free(ctx->wait_event.tasklet);