From e0229aaf27d83d3ea5f0bd0b443bee9ca0526914 Mon Sep 17 00:00:00 2001
From: Masakazu Kitajo <maskit@apache.org>
Date: Wed, 12 Jan 2022 11:03:32 +0900
Subject: [PATCH] Prevent calling SSL_set_session in the middle of handshake

ATS crahses if origin session cache is used with BoringSSL, because BoringSSL
doesn't allow you to call SSL_set_session after starting handshake.
---
 iocore/net/P_SSLNetVConnection.h |  1 +
 iocore/net/SSLNetVConnection.cc  | 23 +++++++++++++----------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index 8e109a94d58..a30406cdd7f 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -459,6 +459,7 @@ class SSLNetVConnection : public UnixNetVConnection,
 
   enum SSLHandshakeStatus sslHandshakeStatus = SSL_HANDSHAKE_ONGOING;
   bool sslClientRenegotiationAbort           = false;
+  bool first_ssl_connect                     = true;
   MIOBuffer *handShakeBuffer                 = nullptr;
   IOBufferReader *handShakeHolder            = nullptr;
   IOBufferReader *handShakeReader            = nullptr;
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 282bbe5044a..0ae7440189c 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -2080,19 +2080,22 @@ SSLNetVConnection::_ssl_connect()
   ERR_clear_error();
 
   SSL_SESSION *sess = SSL_get_session(ssl);
-  if (!sess && SSLConfigParams::origin_session_cache == 1 && SSLConfigParams::origin_session_cache_size > 0) {
-    std::string sni_addr = get_sni_addr(ssl);
-    if (!sni_addr.empty()) {
-      std::string lookup_key;
-      ts::bwprint(lookup_key, "{}:{}:{}", sni_addr.c_str(), SSL_get_SSL_CTX(ssl), get_verify_str(ssl));
+  if (first_ssl_connect) {
+    first_ssl_connect = false;
+    if (!sess && SSLConfigParams::origin_session_cache == 1 && SSLConfigParams::origin_session_cache_size > 0) {
+      std::string sni_addr = get_sni_addr(ssl);
+      if (!sni_addr.empty()) {
+        std::string lookup_key;
+        ts::bwprint(lookup_key, "{}:{}:{}", sni_addr.c_str(), SSL_get_SSL_CTX(ssl), get_verify_str(ssl));
 
-      Debug("ssl.origin_session_cache", "origin session cache lookup key = %s", lookup_key.c_str());
+        Debug("ssl.origin_session_cache", "origin session cache lookup key = %s", lookup_key.c_str());
 
-      std::shared_ptr<SSL_SESSION> shared_sess = this->getOriginSession(ssl, lookup_key);
+        std::shared_ptr<SSL_SESSION> shared_sess = this->getOriginSession(ssl, lookup_key);
 
-      if (shared_sess && SSL_set_session(ssl, shared_sess.get())) {
-        // Keep a reference of this shared pointer in the connection
-        this->client_sess = shared_sess;
+        if (shared_sess && SSL_set_session(ssl, shared_sess.get())) {
+          // Keep a reference of this shared pointer in the connection
+          this->client_sess = shared_sess;
+        }
       }
     }
   }