BUG/MEDIUM: ssl: Use the early_data API the right way.

author Olivier Houchard <ohouchard@haproxy.com>

Fri, 3 May 2019 18:56:19 +0000 (20:56 +0200)

committer Olivier Houchard <cognet@ci0.org>

Fri, 3 May 2019 19:00:10 +0000 (21:00 +0200)
author Olivier Houchard <ohouchard@haproxy.com>
Fri, 3 May 2019 18:56:19 +0000 (20:56 +0200)
committer Olivier Houchard <cognet@ci0.org>
Fri, 3 May 2019 19:00:10 +0000 (21:00 +0200)
diff --git a/src/backend.c b/src/backend.c

index e41689d2a96e6ae9feeecf4965c4ee8e1ac0f658..e4f58df06b6f9071c72f864813041fa78827767a 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -1587,10 +1587,8 @@ int connect_server(struct stream *s)
             (srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
                     (cli_conn->flags & CO_FL_EARLY_DATA) &&
                     !channel_is_empty(si_oc(&s->si[1])) &&
-                   srv_conn->flags & CO_FL_SSL_WAIT_HS) {
+                   srv_conn->flags & CO_FL_SSL_WAIT_HS)
                 srv_conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
-               srv_conn->flags |= CO_FL_EARLY_SSL_HS;
-       }
  #endif
  
         if (err != SF_ERR_NONE)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index b26c4fd9d6e7937850485e05f9f21747be027621..f2d80e8cfc777ddfb33452145db3694b6c07d293 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5830,7 +5830,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
         if (!ctx)
                 goto out_error;
  
-       if (conn->flags & CO_FL_HANDSHAKE)
+       if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_EARLY_SSL_HS))
                 /* a handshake was requested */
                 return 0;
  
@@ -5861,7 +5861,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
                 }
  
  #if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-               if (!SSL_is_init_finished(ctx->ssl)) {
+               if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
                         unsigned int max_early;
  
                         if (objt_listener(conn->target))
@@ -5876,8 +5876,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
                         if (try + ctx->sent_early_data > max_early) {
                                 try -= (try + ctx->sent_early_data) - max_early;
                                 if (try <= 0) {
-                                       if (!(conn->flags & CO_FL_EARLY_SSL_HS))
-                                               conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
+                                       conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
                                         break;
                                 }
                         }
@@ -5885,10 +5884,8 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
                         if (ret == 1) {
                                 ret = written_data;
                                 ctx->sent_early_data += ret;
-                               if (objt_server(conn->target)) {
-                                       conn->flags &= ~CO_FL_EARLY_SSL_HS;
+                               if (objt_server(conn->target))
                                         conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA;
-                               }
  
                         }
author	Olivier Houchard <ohouchard@haproxy.com>
	Fri, 3 May 2019 18:56:19 +0000 (20:56 +0200)
committer	Olivier Houchard <cognet@ci0.org>
	Fri, 3 May 2019 19:00:10 +0000 (21:00 +0200)
src/backend.c		patch \| blob \| blame \| history
src/ssl_sock.c		patch \| blob \| blame \| history