Implement draft-ietf-httpbis-replay-02

nghttpx sends early-data header field when forwarding requests which are received in TLSv1.3 early data, and the TLS handshake is still in progress.
2017-11-26 10:56:39 +09:00 · 2017-11-26 10:56:39 +09:00 · 770e44de4d
parent 2ab319c137
commit 770e44de4d
3 changed files with 24 additions and 2 deletions
--- a/src/http2.cc
+++ b/src/http2.cc
@ -107,6 +107,9 @@ StringRef get_reason_phrase(unsigned int status_code) {
    return StringRef::from_lit("Expectation Failed");
  case 421:
    return StringRef::from_lit("Misdirected Request");
+  case 425:
+    // https://tools.ietf.org/html/draft-ietf-httpbis-replay-02
+    return StringRef::from_lit("Too Early");
  case 426:
    return StringRef::from_lit("Upgrade Required");
  case 428:
--- a/src/shrpx_http2_downstream_connection.cc
+++ b/src/shrpx_http2_downstream_connection.cc
@ -41,6 +41,7 @@
 #include "shrpx_log.h"
 #include "http2.h"
 #include "util.h"
+#include "ssl_compat.h"

 using namespace nghttp2;

@ -271,7 +272,7 @@ int Http2DownstreamConnection::push_request_headers() {
    num_cookies = downstream_->count_crumble_request_cookie();
  }

-  // 9 means:
+  // 10 means:
  // 1. :method
  // 2. :scheme
  // 3. :path
@ -281,8 +282,9 @@ int Http2DownstreamConnection::push_request_headers() {
  // 7. x-forwarded-proto (optional)
  // 8. te (optional)
  // 9. forwarded (optional)
+  // 10. early-data (optional)
  auto nva = std::vector<nghttp2_nv>();
-  nva.reserve(req.fs.headers().size() + 9 + num_cookies +
+  nva.reserve(req.fs.headers().size() + 10 + num_cookies +
              httpconf.add_request_headers.size());

  nva.push_back(
@ -333,6 +335,14 @@ int Http2DownstreamConnection::push_request_headers() {
  auto upstream = downstream_->get_upstream();
  auto handler = upstream->get_client_handler();

+#if OPENSSL_1_1_1_API
+  auto conn = handler->get_connection();
+
+  if (!SSL_is_init_finished(conn->tls.ssl)) {
+    nva.push_back(http2::make_nv_ll("early-data", "1"));
+  }
+#endif // OPENSSL_1_1_1_API
+
  auto fwd =
      fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);

--- a/src/shrpx_http_downstream_connection.cc
+++ b/src/shrpx_http_downstream_connection.cc
@ -39,6 +39,7 @@
 #include "shrpx_log.h"
 #include "http2.h"
 #include "util.h"
+#include "ssl_compat.h"

 using namespace nghttp2;

@ -584,6 +585,14 @@ int HttpDownstreamConnection::push_request_headers() {
  auto upstream = downstream_->get_upstream();
  auto handler = upstream->get_client_handler();

+#if OPENSSL_1_1_1_API
+  auto conn = handler->get_connection();
+
+  if (!SSL_is_init_finished(conn->tls.ssl)) {
+    buf->append("Early-Data: 1\r\n");
+  }
+#endif // OPENSSL_1_1_1_API
+
  auto fwd =
      fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);