From: Olivier Houchard <ohouchard@haproxy.com>
Date: Fri, 3 May 2019 18:56:19 +0000 (+0200)
Subject: BUG/MEDIUM: ssl: Use the early_data API the right way.
X-Git-Tag: v2.0-dev3~129
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=010941f87605e8219d25becdbc652350a687d6a2;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: Use the early_data API the right way.

We can only read early data if we're a server, and write if we're a client,
so don't attempt to mix both.

This should be backported to 1.8 and 1.9.
---

diff --git a/src/backend.c b/src/backend.c
index e41689d2a9..e4f58df06b 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1587,10 +1587,8 @@ int connect_server(struct stream *s)
 	    (srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
 		    (cli_conn->flags & CO_FL_EARLY_DATA) &&
 		    !channel_is_empty(si_oc(&s->si[1])) &&
-		    srv_conn->flags & CO_FL_SSL_WAIT_HS) {
+		    srv_conn->flags & CO_FL_SSL_WAIT_HS)
 		srv_conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
-		srv_conn->flags |= CO_FL_EARLY_SSL_HS;
-	}
 #endif
 
 	if (err != SF_ERR_NONE)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b26c4fd9d6..f2d80e8cfc 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5830,7 +5830,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 	if (!ctx)
 		goto out_error;
 
-	if (conn->flags & CO_FL_HANDSHAKE)
+	if (conn->flags & (CO_FL_HANDSHAKE | CO_FL_EARLY_SSL_HS))
 		/* a handshake was requested */
 		return 0;
 
@@ -5861,7 +5861,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 		}
 
 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-		if (!SSL_is_init_finished(ctx->ssl)) {
+		if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
 			unsigned int max_early;
 
 			if (objt_listener(conn->target))
@@ -5876,8 +5876,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 			if (try + ctx->sent_early_data > max_early) {
 				try -= (try + ctx->sent_early_data) - max_early;
 				if (try <= 0) {
-					if (!(conn->flags & CO_FL_EARLY_SSL_HS))
-						conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
+					conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
 					break;
 				}
 			}
@@ -5885,10 +5884,8 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
 			if (ret == 1) {
 				ret = written_data;
 				ctx->sent_early_data += ret;
-				if (objt_server(conn->target)) {
-					conn->flags &= ~CO_FL_EARLY_SSL_HS;
+				if (objt_server(conn->target))
 					conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA;
-				}
 
 			}