From ef6f834070674a68fe203186a4ee7d592c8a680f Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Fri, 8 Aug 2025 20:17:55 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: fix build with AWS-LC AWS-LC doesn't provide SSL_in_before(), and doesn't provide an easy way to know if we already started the handshake or not. So instead, just add a new field in ssl_sock_ctx, "can_write_early_data", that will be initialized to 1, and will be set to 0 as soon as we start the handshake. This should be backported up to 2.8 with 13aa5616c9f99dbca0711fd18f716bd6f48eb2ae. (cherry picked from commit b6702d53427a22725c125425552074c622c2f25d) Signed-off-by: Amaury Denoyelle (cherry picked from commit 5ff41e99b8f68eb674231d99e546783b27c7e562) Signed-off-by: Christopher Faulet (cherry picked from commit 3fff6803385f325c6a87d00405978ab7a2b280e6) Signed-off-by: Christopher Faulet --- include/haproxy/ssl_sock-t.h | 1 + src/ssl_sock.c | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index d111883..757f16b 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -254,6 +254,7 @@ struct ssl_sock_ctx { unsigned long error_code; /* last error code of the error stack */ struct buffer early_buf; /* buffer to store the early data received */ int sent_early_data; /* Amount of early data we sent so far */ + int can_send_early_data; /* We did not start the handshake yet so we can send early data */ #ifdef USE_QUIC struct quic_conn *qc; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 44770ff..3a5d7ef 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5640,6 +5640,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx) ctx->xprt_st = 0; ctx->xprt_ctx = NULL; ctx->error_code = 0; + ctx->can_send_early_data = 1; next_sslconn = increment_sslconn(); if (!next_sslconn) { @@ -5966,6 +5967,7 @@ static int ssl_sock_handshake(struct connection *conn, unsigned int flag) /* read some data: consider handshake completed */ goto reneg_ok; } + ctx->can_send_early_data = 0; ret = SSL_do_handshake(ctx->ssl); check_error: if (ret != 1) { @@ -6405,10 +6407,10 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu #endif /* - * We have to check SSL_in_before() here, as the handshake flags + * We have to check can_send_early_data here, as the handshake flags * may have been removed in case we want to try to send early data. */ - if (SSL_in_before(ctx->ssl) || + if (ctx->can_send_early_data || (conn->flags & (CO_FL_WAIT_XPRT | CO_FL_SSL_WAIT_HS))) /* a handshake was requested */ return 0; @@ -6565,7 +6567,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s ctx->xprt_st &= ~SSL_SOCK_SEND_MORE; #ifdef SSL_READ_EARLY_DATA_SUCCESS - if (SSL_in_before(ctx->ssl) && conn_is_back(conn)) { + if (ctx->can_send_early_data && conn_is_back(conn)) { unsigned int max_early; if (objt_listener(conn->target)) -- 1.7.10.4