MINOR: quic: do not set conn member if ssl_sock_ctx

ssl_sock_ctx is a generic object used both on TCP/SSL and QUIC stacks.
Most notably it contains a <conn> member which is a pointer to struct
connection.

On QUIC frontend side, this member is always set to NULL. Indeed,
connection is only created after handshake completion. However, this has
changed for backend side, where the connection is instantiated prior to
its quic_conn counterpart. Thus, ssl_sock_ctx member would be set in
this case as a convenience for use later in qc_ssl_do_hanshake().

However, this method was unsafe as the connection can be released,
without resetting ssl_sock_ctx member. Thus, the previous patch fixes
this by using on <conn> member through the quic_conn instance which is
the proper way.

Thus, this patch resets ssl_sock_ctx <conn> member to NULL. This is
deemed the cleanest method as it ensures that both frontend and backend
sides must not use it anymore.

diff --git a/include/haproxy/quic_ssl.h b/include/haproxy/quic_ssl.h
index d8f25fb65e9cb1f9d5301398a7d8d4d99853ed4f..3f0c2010c4a2f074ba9cb75bd9533c2e5266c0b4 100644 (file)
--- a/include/haproxy/quic_ssl.h
+++ b/include/haproxy/quic_ssl.h
@@ -35,7 +35,7 @@
 
 int ssl_quic_initial_ctx(struct bind_conf *bind_conf);
 SSL_CTX *ssl_quic_srv_new_ssl_ctx(void);
-int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn);
+int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target);
 int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
 int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
 

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 00a84d606f00c705d64565838a47b17eb6e610af..98a9820b2f7bc0366dce1f92a37844293cd470ce 100644 (file)
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -1359,7 +1359,7 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
        qc->wait_event.events = 0;
        qc->subs = NULL;
 
-       if (qc_alloc_ssl_sock_ctx(qc, conn) ||
+       if (qc_alloc_ssl_sock_ctx(qc, target) ||
            !quic_conn_init_timer(qc) ||
            !quic_conn_init_idle_timer_task(qc, prx))
                goto err;

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 6ef87f8d1e9a764139825d56a34aae1241e6ec0b..bf756f92943959c2e84901f84e9b97a33a109164 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1183,7 +1183,7 @@ static int quic_ssl_set_tls_cbs(SSL *ssl)
  * CO_ER_SSL_NO_MEM.
  */
 static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl,
-                            struct connection *conn, int server)
+                            int server)
 {
        int retry, ret = -1;
 
@@ -1263,10 +1263,12 @@ static int qc_set_quic_early_data_enabled(struct quic_conn *qc, SSL *ssl)
  *
  * Returns 0 on success else non-zero.
  */
-int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
+int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target)
 {
-       int ret = 0;
        struct ssl_sock_ctx *ctx = NULL;
+       struct bind_conf *bc;
+       struct server *srv;
+       int ret = 0;
 
        TRACE_ENTER(QUIC_EV_CONN_NEW, qc);
 
@@ -1276,7 +1278,7 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
                goto err;
        }
 
-       ctx->conn = conn;
+       ctx->conn = NULL;
        ctx->bio = NULL;
        ctx->xprt = NULL;
        ctx->xprt_ctx = NULL;
@@ -1289,9 +1291,8 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
        ctx->qc = qc;
 
        if (!qc_is_back(qc)) {
-               struct bind_conf *bc = qc->li->bind_conf;
-
-               if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl, NULL, 1) == -1)
+               bc = __objt_listener(target)->bind_conf;
+               if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl, 1) == -1)
                        goto err;
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
                /* Enabling 0-RTT */
@@ -1302,9 +1303,8 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
                SSL_set_accept_state(ctx->ssl);
        }
        else {
-               struct server *srv = __objt_server(ctx->conn->target);
-
-               if (qc_ssl_sess_init(qc, srv->ssl_ctx.ctx, &ctx->ssl, conn, 0) == -1)
+               srv = __objt_server(target);
+               if (qc_ssl_sess_init(qc, srv->ssl_ctx.ctx, &ctx->ssl, 0) == -1)
                        goto err;
 
                if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))