mirror of
https://github.com/nginx/nginx.git
synced 2025-06-06 00:42:40 +08:00
SSL: avoid reading on pending SSL_write_early_data().
If SSL_write_early_data() returned SSL_ERROR_WANT_WRITE, stop further reading using a newly introduced c->ssl->write_blocked flag, as otherwise this would result in SSL error "ssl3_write_bytes:bad length". Eventually, normal reading will be restored by read event posted from successful SSL_write_early_data(). While here, place "SSL_write_early_data: want write" debug on the path.
This commit is contained in:
parent
ce4a23d144
commit
2a11bf0f77
@ -1839,6 +1839,10 @@ ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size)
|
||||
buf += 1;
|
||||
}
|
||||
|
||||
if (c->ssl->write_blocked) {
|
||||
return NGX_AGAIN;
|
||||
}
|
||||
|
||||
/*
|
||||
* SSL_read_early_data() may return data in parts, so try to read
|
||||
* until SSL_read_early_data() would return no data
|
||||
@ -2339,6 +2343,11 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size)
|
||||
ngx_post_event(c->read, &ngx_posted_events);
|
||||
}
|
||||
|
||||
if (c->ssl->write_blocked) {
|
||||
c->ssl->write_blocked = 0;
|
||||
ngx_post_event(c->read, &ngx_posted_events);
|
||||
}
|
||||
|
||||
c->sent += written;
|
||||
|
||||
return written;
|
||||
@ -2352,6 +2361,9 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size)
|
||||
|
||||
if (sslerr == SSL_ERROR_WANT_WRITE) {
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
||||
"SSL_write_early_data: want write");
|
||||
|
||||
if (c->ssl->saved_read_handler) {
|
||||
|
||||
c->read->handler = c->ssl->saved_read_handler;
|
||||
@ -2365,6 +2377,14 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size)
|
||||
ngx_post_event(c->read, &ngx_posted_events);
|
||||
}
|
||||
|
||||
/*
|
||||
* OpenSSL 1.1.1a fails to handle SSL_read_early_data()
|
||||
* if an SSL_write_early_data() call blocked on writing,
|
||||
* see https://github.com/openssl/openssl/issues/7757
|
||||
*/
|
||||
|
||||
c->ssl->write_blocked = 1;
|
||||
|
||||
c->write->ready = 0;
|
||||
return NGX_AGAIN;
|
||||
}
|
||||
|
@ -98,6 +98,7 @@ struct ngx_ssl_connection_s {
|
||||
unsigned try_early_data:1;
|
||||
unsigned in_early:1;
|
||||
unsigned early_preread:1;
|
||||
unsigned write_blocked:1;
|
||||
};
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user