From 220a26c31647b8cfd76f3922d08cb2e847e3009e Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Thu, 23 Jan 2020 14:57:36 +0100 Subject: [PATCH] BUG/MEDIUM: 0rtt: Only consider the SSL handshake. We only add the Early-data header, or get ssl_fc_has_early to return 1, if we didn't already did the SSL handshake, as otherwise, we know the early data were fine, and there's no risk of replay attack. But to do so, we wrongly checked CO_FL_HANDSHAKE, we have to check CO_FL_SSL_WAIT_HS instead, as we don't care about the status of any other handshake. This should be backported to 2.1, 2.0, and 1.9. When deciding if we should add the Early-Data header, or if the sample fetch should return --- src/http_ana.c | 2 +- src/ssl_sock.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/http_ana.c b/src/http_ana.c index 2891f056b..25110f18c 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -520,7 +520,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s } if (conn && (conn->flags & CO_FL_EARLY_DATA) && - (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) { + (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) { struct http_hdr_ctx ctx; ctx.blk = NULL; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b4e118c2b..d61e87200 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -7393,7 +7393,7 @@ smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const cha } #else smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA) && - (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) ? 1 : 0; + (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) ? 1 : 0; #endif return 1; }