]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 45a66cc)
MINOR: ssl: Handle early data with BoringSSL
authorEmmanuel Hocdet <manu@gandi.net>
Thu, 23 Nov 2017 11:40:07 +0000 (12:40 +0100)
committerWilly Tarreau <w@1wt.eu>
Fri, 24 Nov 2017 12:50:02 +0000 (13:50 +0100)
BoringSSL early data differ from OpenSSL 1.1.1 implementation. When early
handshake is done, SSL_in_early_data report if SSL_read will be done on early
data. CO_FL_EARLY_SSL_HS and CO_FL_EARLY_DATA can be adjust accordingly.

src/ssl_sock.c patch | blob | blame | history

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e98cc61f0ec7ca6a9bd25d4a2439d19361fe626a..f7e4159236714e68a76597cafb7a76d335740471 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5000,7 +5000,7 @@ static int ssl_sock_init(struct connection *conn)
 
                /* leave init state and start handshake */
                conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL)
                conn->flags |= CO_FL_EARLY_SSL_HS;
 #endif
 
@@ -5271,6 +5271,10 @@ reneg_ok:
                }
        }
 
+#ifdef OPENSSL_IS_BORINGSSL
+       if ((conn->flags & CO_FL_EARLY_SSL_HS) && !SSL_in_early_data(conn->xprt_ctx))
+               conn->flags &= ~CO_FL_EARLY_SSL_HS;
+#endif
        /* The connection is now established at both layers, it's time to leave */
        conn->flags &= ~(flag | CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN);
        return 1;
@@ -5376,6 +5380,16 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
                } else
 #endif
                ret = SSL_read(conn->xprt_ctx, bi_end(buf), try);
+#ifdef OPENSSL_IS_BORINGSSL
+               if (conn->flags & CO_FL_EARLY_SSL_HS) {
+                       if (SSL_in_early_data(conn->xprt_ctx)) {
+                               if (ret > 0)
+                                       conn->flags |= CO_FL_EARLY_DATA;
+                       } else {
+                               conn->flags &= ~(CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA);
+                       }
+               }
+#endif
                if (conn->flags & CO_FL_ERROR) {
                        /* CO_FL_ERROR may be set by ssl_sock_infocbk */
                        goto out_error;
Mirror of https://github.com/haproxy/haproxy.git