From: Olivier Houchard <ohouchard@haproxy.com>
Date: Wed, 20 Aug 2025 13:30:48 +0000 (+0000)
Subject: MINOR: ssl: Add a "flags" field to ssl_sock_ctx.
X-Git-Tag: v3.3-dev7~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2623b7822eb18ae7daf7c1a066eecc011ec73b4e;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Add a "flags" field to ssl_sock_ctx.

Instead of adding more separate fields in ssl_sock_ctx, add a "flags"
one.
Convert the "can_send_early_data" to the flag SSL_SOCK_F_EARLY_ENABLED.
More flags will be added for kTLS support.
---

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index a775b03e3..feb936222 100644
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -246,6 +246,11 @@ struct ssl_keylog {
 };
 #endif
 
+/*
+ * ssl_sock_ctx flags
+ */
+#define SSL_SOCK_F_EARLY_ENABLED	(1 << 0) /* We did not start the handshake yet so we can send early data */
+
 struct ssl_sock_ctx {
 	struct connection *conn;
 	SSL *ssl;
@@ -258,7 +263,7 @@ struct ssl_sock_ctx {
 	unsigned long error_code;     /* last error code of the error stack */
 	struct buffer early_buf;      /* buffer to store the early data received */
 	int sent_early_data;          /* Amount of early data we sent so far */
-	int can_send_early_data;      /* We did not start the handshake yet so we can send early data */
+	int flags;                    /* Various flags for the ssl_sock_ctx */
 
 #ifdef USE_QUIC
 	struct quic_conn *qc;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ad8259070..f67e30b0d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5104,7 +5104,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 	ctx->xprt_st = 0;
 	ctx->xprt_ctx = NULL;
 	ctx->error_code = 0;
-	ctx->can_send_early_data = 1;
+	ctx->flags = SSL_SOCK_F_EARLY_ENABLED;
 
 	next_sslconn = increment_sslconn();
 	if (!next_sslconn) {
@@ -5459,7 +5459,7 @@ static int ssl_sock_handshake(struct connection *conn, unsigned int flag)
 		/* read some data: consider handshake completed */
 		goto reneg_ok;
 	}
-	ctx->can_send_early_data = 0;
+	ctx->flags &=~ SSL_SOCK_F_EARLY_ENABLED;
 	ret = SSL_do_handshake(ctx->ssl);
 check_error:
 	if (ret != 1) {
@@ -5933,10 +5933,10 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
 #endif
 
 	/*
-	 * We have to check can_send_early_data here, as the handshake flags
+	 * We have to check SSL_SOCK_F_EARLY_ENABLED here, as the handshake flags
 	 * may have been removed in case we want to try to send early data.
 	 */
-	if (ctx->can_send_early_data ||
+	if ((ctx->flags & SSL_SOCK_F_EARLY_ENABLED) ||
 	    (conn->flags & (CO_FL_WAIT_XPRT | CO_FL_SSL_WAIT_HS))) {
 		/* a handshake was requested */
 		TRACE_LEAVE(SSL_EV_CONN_RECV, conn);
@@ -6112,7 +6112,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 			ctx->xprt_st &= ~SSL_SOCK_SEND_MORE;
 
 #ifdef SSL_READ_EARLY_DATA_SUCCESS
-		if (ctx->can_send_early_data && conn_is_back(conn)) {
+		if ((ctx->flags & SSL_SOCK_F_EARLY_ENABLED) && conn_is_back(conn)) {
 			unsigned int max_early;
 
 			if (objt_listener(conn->target))