From: Willy Tarreau <w@1wt.eu>
Date: Mon, 21 Aug 2023 10:04:01 +0000 (+0200)
Subject: MINOR: server/ssl: clear the shared good session index on failure
X-Git-Tag: v2.9-dev5~89
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=777f62cfb70d44eaa624f99a75666725b593db20;p=thirdparty%2Fhaproxy.git

MINOR: server/ssl: clear the shared good session index on failure

If we fail to set the session using SSL_set_session(), we want to quickly
erase our index from the shared one so that any other thread with a valid
session replaces it.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 679ae2e780..90bc7be91f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5752,6 +5752,9 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 			SSL_SESSION *sess = d2i_SSL_SESSION(NULL, &ptr, srv->ssl_ctx.reused_sess[tid].size);
 
 			if (sess && !SSL_set_session(ctx->ssl, sess)) {
+				uint old_tid = HA_ATOMIC_LOAD(&srv->ssl_ctx.last_ssl_sess_tid); // 0=none, >0 = tid + 1
+				if (old_tid == tid + 1)
+					HA_ATOMIC_CAS(&srv->ssl_ctx.last_ssl_sess_tid, &old_tid, 0); // no more valid
 				SSL_SESSION_free(sess);
 				HA_RWLOCK_WRLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.reused_sess[tid].sess_lock);
 				ha_free(&srv->ssl_ctx.reused_sess[tid].ptr);