Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: avoid reading on pending SSL_write_early_data().

Sergey Kandaurov
December 18, 2018 07:28AM
details: https://hg.nginx.org/nginx/rev/294162223c7c
branches:
changeset: 7431:294162223c7c
user: Sergey Kandaurov <pluknet@nginx.com>
date: Tue Dec 18 15:15:15 2018 +0300
description:
SSL: avoid reading on pending SSL_write_early_data().

If SSL_write_early_data() returned SSL_ERROR_WANT_WRITE, stop further reading
using a newly introduced c->ssl->write_blocked flag, as otherwise this would
result in SSL error "ssl3_write_bytes:bad length". Eventually, normal reading
will be restored by read event posted from successful SSL_write_early_data().

While here, place "SSL_write_early_data: want write" debug on the path.

diffstat:

src/event/ngx_event_openssl.c | 20 ++++++++++++++++++++
src/event/ngx_event_openssl.h | 1 +
2 files changed, 21 insertions(+), 0 deletions(-)

diffs (62 lines):

diff -r 286ae954009d -r 294162223c7c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Fri Dec 14 18:11:06 2018 +0300
+++ b/src/event/ngx_event_openssl.c Tue Dec 18 15:15:15 2018 +0300
@@ -1839,6 +1839,10 @@ ngx_ssl_recv_early(ngx_connection_t *c,
buf += 1;
}

+ if (c->ssl->write_blocked) {
+ return NGX_AGAIN;
+ }
+
/*
* SSL_read_early_data() may return data in parts, so try to read
* until SSL_read_early_data() would return no data
@@ -2339,6 +2343,11 @@ ngx_ssl_write_early(ngx_connection_t *c,
ngx_post_event(c->read, &ngx_posted_events);
}

+ if (c->ssl->write_blocked) {
+ c->ssl->write_blocked = 0;
+ ngx_post_event(c->read, &ngx_posted_events);
+ }
+
c->sent += written;

return written;
@@ -2352,6 +2361,9 @@ ngx_ssl_write_early(ngx_connection_t *c,

if (sslerr == SSL_ERROR_WANT_WRITE) {

+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL_write_early_data: want write");
+
if (c->ssl->saved_read_handler) {

c->read->handler = c->ssl->saved_read_handler;
@@ -2365,6 +2377,14 @@ ngx_ssl_write_early(ngx_connection_t *c,
ngx_post_event(c->read, &ngx_posted_events);
}

+ /*
+ * OpenSSL 1.1.1a fails to handle SSL_read_early_data()
+ * if an SSL_write_early_data() call blocked on writing,
+ * see https://github.com/openssl/openssl/issues/7757
+ */
+
+ c->ssl->write_blocked = 1;
+
c->write->ready = 0;
return NGX_AGAIN;
}
diff -r 286ae954009d -r 294162223c7c src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Fri Dec 14 18:11:06 2018 +0300
+++ b/src/event/ngx_event_openssl.h Tue Dec 18 15:15:15 2018 +0300
@@ -98,6 +98,7 @@ struct ngx_ssl_connection_s {
unsigned try_early_data:1;
unsigned in_early:1;
unsigned early_preread:1;
+ unsigned write_blocked:1;
};


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] SSL: avoid reading on pending SSL_write_early_data().

Sergey Kandaurov 158 December 18, 2018 07:28AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 85
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready