1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters reset

Browse Source 
A QUIC must sent its transport parameter using a TLS custom extention. This
extension is reset by SSL_set_SSL_CTX(). It can be restored calling
quic_ssl_set_tls_cbs() (which calls SSL_set_quic_tls_cbs()).
This commit is contained in:
Frederic Lecaille 2025-05-19 17:36:19 +02:00
parent 5075a21fe1
commit 653cb95d54
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl_clienthello.c
View File

@ -16,6 +16,7 @@
#include <haproxy/proto_tcp.h> #include <haproxy/proto_tcp.h>
#include <haproxy/quic_conn.h> #include <haproxy/quic_conn.h>
#include <haproxy/quic_openssl_compat.h> #include <haproxy/quic_openssl_compat.h>
#include <haproxy/quic_ssl.h>
#include <haproxy/quic_tp.h> #include <haproxy/quic_tp.h>
#include <haproxy/ssl_ckch.h> #include <haproxy/ssl_ckch.h>
#include <haproxy/ssl_gencert.h> #include <haproxy/ssl_gencert.h>
@ -28,6 +29,9 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk); SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk);
SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx))); SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx)));
SSL_set_SSL_CTX(ssl, ctx); SSL_set_SSL_CTX(ssl, ctx);
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
quic_ssl_set_tls_cbs(ssl);
#endif
} }
/* /*

13
src/ssl_gencert.c
View File

@ -12,6 +12,7 @@
#include <haproxy/errors.h> #include <haproxy/errors.h>
#include <haproxy/openssl-compat.h> #include <haproxy/openssl-compat.h>
#include <haproxy/quic_ssl.h>
#include <haproxy/ssl_ckch.h> #include <haproxy/ssl_ckch.h>
#include <haproxy/ssl_sock.h> #include <haproxy/ssl_sock.h>
#include <haproxy/xxhash.h> #include <haproxy/xxhash.h>
@ -284,8 +285,12 @@ SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind
HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_ckch->cert, 0); lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_ckch->cert, 0);
if (lru && lru->domain) { if (lru && lru->domain) {
if (ssl) if (ssl) {
SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data); SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data);
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
quic_ssl_set_tls_cbs(ssl);
#endif
}
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
return (SSL_CTX *)lru->data; return (SSL_CTX *)lru->data;
} }
@ -354,12 +359,18 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free); lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
} }
SSL_set_SSL_CTX(ssl, ssl_ctx); SSL_set_SSL_CTX(ssl, ssl_ctx);
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
quic_ssl_set_tls_cbs(ssl);
#endif
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
return 1; return 1;
} }
else { else {
ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
SSL_set_SSL_CTX(ssl, ssl_ctx); SSL_set_SSL_CTX(ssl, ssl_ctx);
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
quic_ssl_set_tls_cbs(ssl);
#endif
/* No LRU cache, this CTX will be released as soon as the session dies */ /* No LRU cache, this CTX will be released as soon as the session dies */
SSL_CTX_free(ssl_ctx); SSL_CTX_free(ssl_ctx);
return 1; return 1;