packages/net/haproxy/patches/046-BUG-MEDIUM-0rtt-Only-consider-the-SSL-handshake.patch

commit 00ae17b75d20b30ab445970afb6a15f5d11cf257
Author: Olivier Houchard <ohouchard@haproxy.com>
Date:   Thu Jan 23 14:57:36 2020 +0100

    BUG/MEDIUM: 0rtt: Only consider the SSL handshake.
    
    We only add the Early-data header, or get ssl_fc_has_early to return 1, if
    we didn't already did the SSL handshake, as otherwise, we know the early
    data were fine, and there's no risk of replay attack. But to do so, we
    wrongly checked CO_FL_HANDSHAKE, we have to check CO_FL_SSL_WAIT_HS instead,
    as we don't care about the status of any other handshake.
    
    This should be backported to 2.1, 2.0, and 1.9.
    
    When deciding if we should add the Early-Data header, or if the sample fetch
    should return
    
    (cherry picked from commit 220a26c31647b8cfd76f3922d08cb2e847e3009e)
    Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/src/http_ana.c b/src/http_ana.c
index cb5a60ca9..fc4ca4f49 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -519,7 +519,7 @@ int http_process_req_common(struct stream *s, struct channel *req, int an_bit, s
 	}
 
 	if (conn && (conn->flags & CO_FL_EARLY_DATA) &&
-	    (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) {
+	    (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) {
 		struct http_hdr_ctx ctx;
 
 		ctx.blk = NULL;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2cc5ae80e..c6888c128 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7200,7 +7200,7 @@ smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const cha
 	}
 #else
 	smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA)  &&
-	    (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) ? 1 : 0;
+	    (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS))) ? 1 : 0;
 #endif
 	return 1;
 }