From: Emeric Brun <ebrun@exceliance.fr>
Date: Thu, 8 Nov 2012 17:02:56 +0000 (+0100)
Subject: BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled.
X-Git-Tag: v1.5-dev13~41
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=282a76acc17b1c23c5204addc2f7d5019cded704;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled.

SSL may decide to switch to a handshake in the middle of a transfer due to
a reneg. In this case we don't want to re-enable polling because data might
have been left pending in the buffer. We just want to switch immediately to
the handshake mode.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2fba79b9d0..8fec632ba6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -984,6 +984,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
 				break;
 			}
 			else if (ret == SSL_ERROR_WANT_READ) {
+				if (SSL_renegotiate_pending(conn->xprt_ctx)) {
+					/* handshake is running, and it may need to re-enable read */
+					conn->flags |= CO_FL_SSL_WAIT_HS;
+					__conn_sock_want_recv(conn);
+					break;
+				}
 				/* we need to poll for retry a read later */
 				__conn_data_poll_recv(conn);
 				break;
@@ -1056,6 +1062,12 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
 		else {
 			ret = SSL_get_error(conn->xprt_ctx, ret);
 			if (ret == SSL_ERROR_WANT_WRITE) {
+				if (SSL_renegotiate_pending(conn->xprt_ctx)) {
+					/* handshake is running, and it may need to re-enable write */
+					conn->flags |= CO_FL_SSL_WAIT_HS;
+					__conn_sock_want_send(conn);
+					break;
+				}
 				/* we need to poll to retry a write later */
 				__conn_data_poll_send(conn);
 				break;