mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 20:46:11 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl: Don't report read data as early data with AWS-LC

Browse Source 
To read early data with AWS-LC (and BoringSSL), we have to use
SSL_read(). But SSL_read() will also try to do the handshake if it
hasn't been done yet, and at some point will do the handshake and will
return data that are actually not early data. So use SSL_in_early_data()
to make sure that the data we received are actually early data, and only
if so add the CO_FL_EARLY_DATA flag. Otherwise any data first received will be
considered early, and a Early-data header will be added.
As this bug was introduced by 76ba026548975a6d1bc23d1344807c64d994bf1e,
it should be backported with it.
This commit is contained in:
Olivier Houchard 2026-03-12 17:31:43 +01:00 committed by Olivier Houchard
parent 13d13691b5
commit 4102461dd6
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/ssl_sock.c
View File

@ -6059,7 +6059,8 @@ static int ssl_sock_handshake(struct connection *conn, unsigned int flag)
ret = SSL_read(ctx->ssl, b_tail(&ctx->early_buf),
b_room(&ctx->early_buf));
if (ret > 0) {
conn->flags |= CO_FL_EARLY_DATA;
if (SSL_in_early_data(ctx->ssl))
conn->flags |= CO_FL_EARLY_DATA;
b_add(&ctx->early_buf, ret);
} else {
int err = SSL_get_error(ctx->ssl, ret);