MINOR: quic-be: Add a function for the TLS context allocations

Implement ssl_quic_srv_new_ssl_ctx() whose aim is to allocate a TLS context for QUIC servers.
2023-12-18 17:06:40 +01:00 · 2023-12-18 17:06:40 +01:00 · 1e45690656
commit 1e45690656
parent a4e1296208
2 changed files with 30 additions and 0 deletions
--- a/include/haproxy/quic_ssl.h
+++ b/include/haproxy/quic_ssl.h
@ -34,6 +34,7 @@
 #include <haproxy/ssl_sock-t.h>

 int ssl_quic_initial_ctx(struct bind_conf *bind_conf);
+SSL_CTX *ssl_quic_srv_new_ssl_ctx(void);
 int qc_alloc_ssl_sock_ctx(struct quic_conn *qc);
 int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
 int quic_ssl_set_tls_cbs(SSL *ssl);
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@ -754,6 +754,35 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 	return cfgerr;
 }

+/* Allocate a TLS context for a QUIC server.
+ * Return this context if succeeded, NULL if failed.
+ */
+SSL_CTX *ssl_quic_srv_new_ssl_ctx(void)
+{
+	SSL_CTX *ctx;
+	/* XXX TODO: check this: XXX */
+	long options =
+		(SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
+		SSL_OP_SINGLE_ECDH_USE |
+		SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+	TRACE_ENTER(QUIC_EV_CONN_NEW);
+
+	ctx = SSL_CTX_new(TLS_client_method());
+	if (!ctx) {
+		TRACE_ERROR("Could not allocate a new TLS context", QUIC_EV_CONN_NEW);
+		goto leave;
+	}
+
+	SSL_CTX_set_options(ctx, options);
+	SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
+	SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+
+ leave:
+	TRACE_LEAVE(QUIC_EV_CONN_NEW);
+	return ctx;
+}
+
 /* This function gives the detail of the SSL error. It is used only
 * if the debug mode and the verbose mode are activated. It dump all
 * the SSL error until the stack was empty.