mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: 0rtt: Only consider the SSL handshake.

Browse Source 
We only add the Early-data header, or get ssl_fc_has_early to return 1, if
we didn't already did the SSL handshake, as otherwise, we know the early
data were fine, and there's no risk of replay attack. But to do so, we
wrongly checked CO_FL_HANDSHAKE, we have to check CO_FL_SSL_WAIT_HS instead,
as we don't care about the status of any other handshake.

This should be backported to 2.1, 2.0, and 1.9.

When deciding if we should add the Early-Data header, or if the sample fetch
should return
This commit is contained in:
Olivier Houchard 2020-01-23 14:57:36 +01:00 committed by Olivier Houchard
parent c192b0ab95
commit 220a26c316
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/http_ana.c
View File

@ -520,7 +520,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
} }
if (conn && (conn->flags & CO_FL_EARLY_DATA) && if (conn && (conn->flags & CO_FL_EARLY_DATA) &&
(conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) { (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) {
struct http_hdr_ctx ctx; struct http_hdr_ctx ctx;
ctx.blk = NULL; ctx.blk = NULL;

2
src/ssl_sock.c
View File

@ -7393,7 +7393,7 @@ smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const cha
} }
#else #else
smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA) && smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA) &&
(conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) ? 1 : 0; (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) ? 1 : 0;
#endif #endif
return 1; return 1;
} }