From 81df60f6229e66dc8306e55ea2103e577782d984 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 21 Jan 2021 22:02:18 +0000 Subject: TLS: on Linux when sockopt TCP_FASTOPEN_CONNECT is available, use TFO for TLS-on-connect client connections --- src/src/smtp_out.c | 32 +++++++++++++++++++++++++++++--- src/src/transports/smtp.c | 7 ++++++- 2 files changed, 35 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c index 2d2fd2180..b1a25f70a 100644 --- a/src/src/smtp_out.c +++ b/src/src/smtp_out.c @@ -246,9 +246,18 @@ switch (tcp_out_fastopen) #endif -/* Arguments as for smtp_connect(), plus - early_data if non-NULL, idenmpotent data to be sent - +/* Arguments: + host host item containing name and address and port + host_af AF_INET or AF_INET6 + port TCP port number + interface outgoing interface address or NULL + tb transport + timeout timeout value or 0 + early_data if non-NULL, idempotent data to be sent - preferably in the TCP SYN segment + Special case: non-NULL but with NULL blob.data - caller is + client-data-first (eg. TLS-on-connect) and a lazy-TCP-connect is + acceptable. Returns: connected socket number, or -1 with errno set */ @@ -318,8 +327,22 @@ early-data but no TFO support, send it after connecting. */ else { #ifdef TCP_FASTOPEN + /* See if TCP Fast Open usable. Default is a traditional 3WHS connect */ if (verify_check_given_host(CUSS &ob->hosts_try_fastopen, host) == OK) - fastopen_blob = early_data ? early_data : &tcp_fastopen_nodata; + { + if (!early_data) + fastopen_blob = &tcp_fastopen_nodata; /* TFO, with no data */ + else if (early_data->data) + fastopen_blob = early_data; /* TFO, with data */ +# ifdef TCP_FASTOPEN_CONNECT + else + { /* expecting client data */ + debug_printf(" set up lazy-connect\n"); + setsockopt(sock, IPPROTO_TCP, TCP_FASTOPEN_CONNECT, US &on, sizeof(on)); + /* fastopen_blob = NULL; lazy TFO, triggered by data write */ + } +# endif + } #endif if (ip_connect(sock, host_af, host->address, port, timeout, fastopen_blob) < 0) @@ -409,6 +432,9 @@ host->address will always be an IPv4 address. Arguments: sc details for making connection: host, af, interface, transport early_data if non-NULL, data to be sent - preferably in the TCP SYN segment + Special case: non-NULL but with NULL blob.data - caller is + client-data-first (eg. TLS-on-connect) and a lazy-TCP-connect is + acceptable. Returns: connected socket number, or -1 with errno set */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index ee5e49e57..eb6b77416 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2098,7 +2098,12 @@ PIPE_CONNECT_RETRY: else #endif { - if ((sx->cctx.sock = smtp_connect(&sx->conn_args, NULL)) < 0) + blob lazy_conn = {.data = NULL}; + /* For TLS-connect, a TFO lazy-connect is useful since the Client Hello + can go on the TCP SYN. */ + + if ((sx->cctx.sock = smtp_connect(&sx->conn_args, + sx->smtps ? &lazy_conn : NULL)) < 0) { set_errno_nohost(sx->addrlist, errno == ETIMEDOUT ? ERRNO_CONNECTTIMEOUT : errno, -- cgit v1.2.3