diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2018-12-18 15:15:15 +0300 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2018-12-18 15:15:15 +0300 |
| commit | 2a11bf0f77358a1116b3ef56c949b242582e798c (patch) | |
| tree | 890eb26816e52c4b5b9bf0aa9c76abdb3dac9716 /src | |
| parent | ce4a23d144762cfa27c0e4b13f74cada2f7486a8 (diff) | |
| download | nginx-2a11bf0f77358a1116b3ef56c949b242582e798c.tar.gz nginx-2a11bf0f77358a1116b3ef56c949b242582e798c.zip | |
SSL: avoid reading on pending SSL_write_early_data().
If SSL_write_early_data() returned SSL_ERROR_WANT_WRITE, stop further reading
using a newly introduced c->ssl->write_blocked flag, as otherwise this would
result in SSL error "ssl3_write_bytes:bad length". Eventually, normal reading
will be restored by read event posted from successful SSL_write_early_data().
While here, place "SSL_write_early_data: want write" debug on the path.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 20 | ||||
| -rw-r--r-- | src/event/ngx_event_openssl.h | 1 |
2 files changed, 21 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index a281fba9e..37a4b72b6 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1839,6 +1839,10 @@ ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) buf += 1; } + if (c->ssl->write_blocked) { + return NGX_AGAIN; + } + /* * SSL_read_early_data() may return data in parts, so try to read * until SSL_read_early_data() would return no data @@ -2339,6 +2343,11 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) ngx_post_event(c->read, &ngx_posted_events); } + if (c->ssl->write_blocked) { + c->ssl->write_blocked = 0; + ngx_post_event(c->read, &ngx_posted_events); + } + c->sent += written; return written; @@ -2352,6 +2361,9 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) if (sslerr == SSL_ERROR_WANT_WRITE) { + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, + "SSL_write_early_data: want write"); + if (c->ssl->saved_read_handler) { c->read->handler = c->ssl->saved_read_handler; @@ -2365,6 +2377,14 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) ngx_post_event(c->read, &ngx_posted_events); } + /* + * OpenSSL 1.1.1a fails to handle SSL_read_early_data() + * if an SSL_write_early_data() call blocked on writing, + * see https://github.com/openssl/openssl/issues/7757 + */ + + c->ssl->write_blocked = 1; + c->write->ready = 0; return NGX_AGAIN; } diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index abd84ccf0..9ec001d09 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -98,6 +98,7 @@ struct ngx_ssl_connection_s { unsigned try_early_data:1; unsigned in_early:1; unsigned early_preread:1; + unsigned write_blocked:1; }; |