nghttpx: Postpone early data processing if CH replay detected

abcdca91 · Tatsuhiro Tsujikawa · 5e59577e · abcdca91 · abcdca91 · abcdca91
Commit abcdca91 authored May 16, 2017 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

src/shrpx_connection.cc src/shrpx_connection.cc +5 -2

src/shrpx_connection.h src/shrpx_connection.h +3 -0

src/shrpx_tls.cc src/shrpx_tls.cc +4 -3

No files found.
--- a/src/shrpx_connection.cc
+++ b/src/shrpx_connection.cc
@@ -145,6 +145,7 @@ void Connection::disconnect() {
    tls.sct_requested = false;
    tls.early_data_finish = false;
    tls.early_cb_called = false;
+    tls.postpone_early_data = false;
  }

  if (fd != -1) {
@@ -456,7 +457,8 @@ int Connection::tls_handshake() {
        // server waits for EndOfEarlyData and Finished message from
        // client, which voids the purpose of 0-RTT data.  The left
        // over of handshake is done through write_tls or read_tls.
-        if ((tls.handshake_state == TLS_CONN_WRITE_STARTED ||
+        if (!tls.postpone_early_data &&
+            (tls.handshake_state == TLS_CONN_WRITE_STARTED ||
             tls.wbuf.rleft()) &&
            tls.earlybuf.rleft()) {
          rv = 1;
@@ -478,7 +480,8 @@ int Connection::tls_handshake() {
        }
        tls.early_data_finish = true;
        // The same reason stated above.
-        if ((tls.handshake_state == TLS_CONN_WRITE_STARTED ||
+        if (!tls.postpone_early_data &&
+            (tls.handshake_state == TLS_CONN_WRITE_STARTED ||
             tls.wbuf.rleft()) &&
            tls.earlybuf.rleft()) {
          rv = 1;

--- a/src/shrpx_connection.h
+++ b/src/shrpx_connection.h
@@ -94,6 +94,9 @@ struct TLSConnection {
  bool early_data_finish;
  // true if early_cb gets called.
  bool early_cb_called;
+  // true if processing early data should be postponed until handshake
+  // finishes.
+  bool postpone_early_data;
 };

 struct TCPHint {

--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -613,9 +613,10 @@ int early_cb(SSL *ssl, int *al, void *arg) {
    conn->tls.anti_replay_req = nullptr;

    if (res.status_code != 0) {
-      // If we cannot add key/value, just disable 0-RTT early data.
-      // Note that memcached atomically adds key/value.
-      conn->tls.early_data_finish = true;
+      // If we cannot add key/value, just postpone processing 0-RTT
+      // early data until handshake finishes.  Note that memcached
+      // atomically adds key/value.
+      conn->tls.postpone_early_data = true;
    }

    conn->tls.handshake_state = TLS_CONN_NORMAL;