From: Emmanuel Hocdet <manu@gandi.net>
Date: Wed, 7 Aug 2019 12:44:49 +0000 (+0200)
Subject: MINOR: ssl: ssl_fc_has_early should work for BoringSSL
X-Git-Tag: v2.1-dev2~221
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c9858010c2b2b97ff3652baeeb52f6bc17b27cb7;p=thirdparty%2Fhaproxy.git

MINOR: ssl: ssl_fc_has_early should work for BoringSSL

CO_FL_EARLY_SSL_HS/CO_FL_EARLY_DATA are removed for BoringSSL. Early
data can be checked via BoringSSL API and ssl_fc_has_early can used it.

This should be backported to all versions till 1.8.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9186714643..a95ff65b68 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6609,9 +6609,16 @@ smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const cha
 
 	smp->flags = 0;
 	smp->data.type = SMP_T_BOOL;
+#ifdef OPENSSL_IS_BORINGSSL
+	{
+		struct ssl_sock_ctx *ctx = conn->xprt_ctx;
+		smp->data.u.sint = (SSL_in_early_data(ctx->ssl) &&
+				    SSL_early_data_accepted(ctx->ssl));
+	}
+#else
 	smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA)  &&
 	    (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) ? 1 : 0;
-
+#endif
 	return 1;
 }