From cc5ae9a29b52ed217e773e9c4057e0029d3a1fbf Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Mon, 18 Dec 2023 17:26:01 +0100 Subject: [PATCH] MINOR: quic-be: ssl_sock contexts allocation and misc adaptations Implement ssl_sock_new_ssl_ctx() to allocate a SSL server context as this is currently done for TCP servers and also for QUIC servers depending on the boolean value passed as new parameter. For QUIC servers, this function calls ssl_quic_srv_new_ssl_ctx() which is specific to QUIC. --- include/haproxy/ssl_ckch.h | 2 +- src/ssl_ckch.c | 5 +++-- src/ssl_sock.c | 24 ++++++++++++++++++++---- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 19ebac556..843b6db00 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -62,7 +62,7 @@ struct ckch_inst *ckch_inst_new(); int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf, char **sni_filter, int fcount, int is_default, struct ckch_inst **ckchi, char **err); int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs, - struct ckch_inst **ckchi, char **err); + struct ckch_inst **ckchi, char **err, int is_quic); int ckch_inst_rebuild(struct ckch_store *ckch_store, struct ckch_inst *ckchi, struct ckch_inst **new_inst, char **err); diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 57f1c3e91..9157421b4 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -2601,8 +2601,9 @@ int ckch_inst_rebuild(struct ckch_store *ckch_store, struct ckch_inst *ckchi, fcount = ckchi->crtlist_entry->fcount; } - if (ckchi->is_server_instance) - errcode |= ckch_inst_new_load_srv_store(ckch_store->path, ckch_store, new_inst, err); + if (ckchi->is_server_instance) { + errcode |= ckch_inst_new_load_srv_store(ckch_store->path, ckch_store, new_inst, err, srv_is_quic(ckchi->server)); + } else errcode |= ckch_inst_new_load_store(ckch_store->path, ckch_store, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, ckchi->is_default, new_inst, err); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1a953606e..663a14da4 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -65,6 +65,7 @@ #include #include #include +#include #include #include #include @@ -3039,6 +3040,20 @@ error: return errcode; } +#ifdef USE_QUIC +static inline SSL_CTX *ssl_sock_new_ssl_ctx(int is_quic) +{ + if (is_quic) + return ssl_quic_srv_new_ssl_ctx(); + else + return SSL_CTX_new(SSLv23_client_method()); +} +#else +static inline SSL_CTX *ssl_sock_new_ssl_ctx(int is_quic) +{ + return SSL_CTX_new(SSLv23_client_method()); +} +#endif /* * This function allocate a ckch_inst that will be used on the backend side @@ -3050,7 +3065,7 @@ error: * ERR_WARN if a warning is available into err */ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs, - struct ckch_inst **ckchi, char **err) + struct ckch_inst **ckchi, char **err, int is_quic) { SSL_CTX *ctx; struct ckch_data *data; @@ -3064,7 +3079,7 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs, data = ckchs->data; - ctx = SSL_CTX_new(SSLv23_client_method()); + ctx = ssl_sock_new_ssl_ctx(is_quic); if (!ctx) { memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n", err && *err ? *err : "", path); @@ -3135,7 +3150,8 @@ static int ssl_sock_load_srv_ckchs(const char *path, struct ckch_store *ckchs, int errcode = 0; /* we found the ckchs in the tree, we can use it directly */ - errcode |= ckch_inst_new_load_srv_store(path, ckchs, ckch_inst, err); + errcode |= ckch_inst_new_load_srv_store(path, ckchs, ckch_inst, err, + srv_is_quic(server)); if (errcode & ERR_CODE) return errcode; @@ -4427,7 +4443,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) /* The context will be uninitialized if there wasn't any "cert" option * in the server line. */ if (!ctx) { - ctx = SSL_CTX_new(SSLv23_client_method()); + ctx = ssl_sock_new_ssl_ctx(srv_is_quic(srv)); if (!ctx) { ha_alert("unable to allocate ssl context.\n"); cfgerr++;