nghttpx: Postpone early data processing if CH replay detected
This commit is contained in:
parent
5e59577e93
commit
abcdca91ba
|
@ -145,6 +145,7 @@ void Connection::disconnect() {
|
||||||
tls.sct_requested = false;
|
tls.sct_requested = false;
|
||||||
tls.early_data_finish = false;
|
tls.early_data_finish = false;
|
||||||
tls.early_cb_called = false;
|
tls.early_cb_called = false;
|
||||||
|
tls.postpone_early_data = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (fd != -1) {
|
if (fd != -1) {
|
||||||
|
@ -456,7 +457,8 @@ int Connection::tls_handshake() {
|
||||||
// server waits for EndOfEarlyData and Finished message from
|
// server waits for EndOfEarlyData and Finished message from
|
||||||
// client, which voids the purpose of 0-RTT data. The left
|
// client, which voids the purpose of 0-RTT data. The left
|
||||||
// over of handshake is done through write_tls or read_tls.
|
// over of handshake is done through write_tls or read_tls.
|
||||||
if ((tls.handshake_state == TLS_CONN_WRITE_STARTED ||
|
if (!tls.postpone_early_data &&
|
||||||
|
(tls.handshake_state == TLS_CONN_WRITE_STARTED ||
|
||||||
tls.wbuf.rleft()) &&
|
tls.wbuf.rleft()) &&
|
||||||
tls.earlybuf.rleft()) {
|
tls.earlybuf.rleft()) {
|
||||||
rv = 1;
|
rv = 1;
|
||||||
|
@ -478,7 +480,8 @@ int Connection::tls_handshake() {
|
||||||
}
|
}
|
||||||
tls.early_data_finish = true;
|
tls.early_data_finish = true;
|
||||||
// The same reason stated above.
|
// The same reason stated above.
|
||||||
if ((tls.handshake_state == TLS_CONN_WRITE_STARTED ||
|
if (!tls.postpone_early_data &&
|
||||||
|
(tls.handshake_state == TLS_CONN_WRITE_STARTED ||
|
||||||
tls.wbuf.rleft()) &&
|
tls.wbuf.rleft()) &&
|
||||||
tls.earlybuf.rleft()) {
|
tls.earlybuf.rleft()) {
|
||||||
rv = 1;
|
rv = 1;
|
||||||
|
|
|
@ -94,6 +94,9 @@ struct TLSConnection {
|
||||||
bool early_data_finish;
|
bool early_data_finish;
|
||||||
// true if early_cb gets called.
|
// true if early_cb gets called.
|
||||||
bool early_cb_called;
|
bool early_cb_called;
|
||||||
|
// true if processing early data should be postponed until handshake
|
||||||
|
// finishes.
|
||||||
|
bool postpone_early_data;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct TCPHint {
|
struct TCPHint {
|
||||||
|
|
|
@ -613,9 +613,10 @@ int early_cb(SSL *ssl, int *al, void *arg) {
|
||||||
conn->tls.anti_replay_req = nullptr;
|
conn->tls.anti_replay_req = nullptr;
|
||||||
|
|
||||||
if (res.status_code != 0) {
|
if (res.status_code != 0) {
|
||||||
// If we cannot add key/value, just disable 0-RTT early data.
|
// If we cannot add key/value, just postpone processing 0-RTT
|
||||||
// Note that memcached atomically adds key/value.
|
// early data until handshake finishes. Note that memcached
|
||||||
conn->tls.early_data_finish = true;
|
// atomically adds key/value.
|
||||||
|
conn->tls.postpone_early_data = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
conn->tls.handshake_state = TLS_CONN_NORMAL;
|
conn->tls.handshake_state = TLS_CONN_NORMAL;
|
||||||
|
|
Loading…
Reference in New Issue