Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / c78ac5ade6bdaf46634edf08fecd735ab7d0a5f1^! / .
commitc78ac5ade6bdaf46634edf08fecd735ab7d0a5f1[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Wed Nov 17 02:59:21 2021 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Tue Nov 23 15:12:29 2021 +0100
tree18a279d04fe7bea5b2978a38db5698fb7ba5fff6
parentd5d6fdc4975ed87725f97f1335a92832699482ff [diff]
BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3

When establishing an outboud connection, haproxy checks if the cached
TLS session has the same SNI as the connection we are trying to
resume.

This test was done by calling SSL_get_servername() which in TLSv1.2
returned the SNI. With TLSv1.3 this is not the case anymore and this
function returns NULL, which invalidates any outboud connection we are
trying to resume if it uses the sni keyword on its server line.

This patch fixes the problem by storing the SNI in the "reused_sess"
structure beside the session itself.

The ssl_sock_set_servername() now has a RWLOCK because this session
cache entry could be accessed by the CLI when trying to update a
certificate on the backend.

This fix must be backported in every maintained version, however the
RWLOCK only exists since version 2.4.

(cherry picked from commit e18d4e82862eb5c9b54b89f85d4c3b7c82d7395e)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index cd95f9e..7fd4288 100644
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h

@@ -336,6 +336,7 @@
 			unsigned char *ptr;
 			int size;
 			int allocated_size;
+			char *sni; /* SNI used for the session */
 		} * reused_sess;
 
 		struct ckch_inst *inst; /* Instance of the ckch_store in which the certificate was loaded (might be null if server has no certificate) */

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 6931d19..76ef207 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c

@@ -1404,8 +1404,10 @@
 						ckchi->server->ssl_ctx.inst = ckchi;
 
 						/* flush the session cache of the server */
-						for (i = 0; i < global.nbthread; i++)
-							ha_free(&ckchi->server->ssl_ctx.reused_sess[i].ptr);
+						for (i = 0; i < global.nbthread; i++) {
+							ha_free(&ckchi->server->ssl_ctx.reused_sess[tid].ptr);
+							ha_free(&ckchi->server->ssl_ctx.reused_sess[i].sni);
+						}
 
 						HA_RWLOCK_WRUNLOCK(SSL_SERVER_LOCK, &ckchi->server->ssl_ctx.lock);
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c725f1f..db9f2a1 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -4004,8 +4004,10 @@
 	if (!(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) {
 		int len;
 		unsigned char *ptr;
+		const char *sni;
 
 		len = i2d_SSL_SESSION(sess, NULL);
+		sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
 		HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
 		if (s->ssl_ctx.reused_sess[tid].ptr && s->ssl_ctx.reused_sess[tid].allocated_size >= len) {
 			ptr = s->ssl_ctx.reused_sess[tid].ptr;
@@ -4018,6 +4020,18 @@
 			s->ssl_ctx.reused_sess[tid].size = i2d_SSL_SESSION(sess,
 			    &ptr);
 		}
+
+		if (s->ssl_ctx.reused_sess[tid].sni) {
+			/* if the new sni is empty or isn' t the same as the old one */
+			if ((!sni) || strcmp(s->ssl_ctx.reused_sess[tid].sni, sni) != 0) {
+				ha_free(&s->ssl_ctx.reused_sess[tid].sni);
+				if (sni)
+					s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
+			}
+		} else if (sni) {
+			/* if there wasn't an old sni but there is a new one */
+			s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
+		}
 		HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
 	} else {
 		HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
@@ -5019,8 +5033,10 @@
 	if (srv->ssl_ctx.reused_sess) {
 		int i;
 
-		for (i = 0; i < global.nbthread; i++)
+		for (i = 0; i < global.nbthread; i++) {
 			ha_free(&srv->ssl_ctx.reused_sess[i].ptr);
+			ha_free(&srv->ssl_ctx.reused_sess[i].sni);
+		}
 		ha_free(&srv->ssl_ctx.reused_sess);
 	}
 
@@ -6394,22 +6410,26 @@
 {
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 	struct ssl_sock_ctx *ctx;
-
+	struct server *s;
 	char *prev_name;
 
 	if (!ssl_sock_is_ssl(conn))
 		return;
 	ctx = conn->xprt_ctx;
+	s = __objt_server(conn->target);
 
 	/* if the SNI changes, we must destroy the reusable context so that a
-	 * new connection will present a new SNI. As an optimization we could
-	 * later imagine having a small cache of ssl_ctx to hold a few SNI per
-	 * server.
-	 */
-	prev_name = (char *)SSL_get_servername(ctx->ssl, TLSEXT_NAMETYPE_host_name);
+	 * new connection will present a new SNI. compare with the SNI
+	 * previously stored in the reused_sess */
+	/* the RWLOCK is used to ensure that we are not trying to flush the
+	 * cache from the CLI */
+
+	HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
+	prev_name = s->ssl_ctx.reused_sess[tid].sni;
 	if ((!prev_name && hostname) ||
 	    (prev_name && (!hostname || strcmp(hostname, prev_name) != 0)))
 		SSL_set_session(ctx->ssl, NULL);
+	HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &s->ssl_ctx.lock);
 
 	SSL_set_tlsext_host_name(ctx->ssl, hostname);
 #endif