BUG/MINOR: quic: Missing call to TLS message callbacks

This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT).

The TLS capture of information from client hello enabled by
tune.ssl.capture-buffer-size could not work with USE_QUIC_OPENSSL_COMPAT. This
is due to the fact the callback set for this feature was replaced by
quic_tls_compat_msg_callback(). In fact this called must be registered by
ssl_sock_register_msg_callback() as this done for the TLS client hello capture.
A call to this function appends the function passed as parameter to a list of
callbacks to be called when the TLS stack parse a TLS message.
quic_tls_compat_msg_callback() had to be modified to return if it is called
for a non-QUIC TLS session.

Must be backported to 2.8.

diff --git a/include/haproxy/quic_openssl_compat.h b/include/haproxy/quic_openssl_compat.h
index 0d4c3ee67c5f1d4f76cad1414acc157f6cfcc564..837a28d53ab30b9aad483ba68da92fe5a8aaabec 100644 (file)
--- a/include/haproxy/quic_openssl_compat.h
+++ b/include/haproxy/quic_openssl_compat.h
@@ -15,6 +15,9 @@
 #define QUIC_OPENSSL_COMPAT_CLIENT_APPLICATION   "CLIENT_TRAFFIC_SECRET_0"
 #define QUIC_OPENSSL_COMPAT_SERVER_APPLICATION   "SERVER_TRAFFIC_SECRET_0"
 
+void quic_tls_compat_msg_callback(struct connection *conn,
+                                  int write_p, int version, int content_type,
+                                  const void *buf, size_t len, SSL *ssl);
 int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx);
 void quic_tls_compat_keylog_callback(const SSL *ssl, const char *line);
 

diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c
index efd9b1500833bb960a5dbadd3d699c8a7ed36860..2a8f83dc4f3bb3e3dc11c06a4150a11786e44d24 100644 (file)
--- a/src/quic_openssl_compat.c
+++ b/src/quic_openssl_compat.c
@@ -353,19 +353,22 @@ leave:
 }
 
 /* Callback use to parse TLS messages for <ssl> TLS session. */
-static void quic_tls_compat_msg_callback(int write_p, int version, int content_type,
-                                         const void *buf, size_t len, SSL *ssl, void *arg)
+void quic_tls_compat_msg_callback(struct connection *conn,
+                                  int write_p, int version, int content_type,
+                                  const void *buf, size_t len, SSL *ssl)
 {
        unsigned int alert;
        enum ssl_encryption_level_t   level;
        struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
-       struct quic_openssl_compat *com = &qc->openssl_compat;
+       struct quic_openssl_compat *com;
 
-       TRACE_ENTER(QUIC_EV_CONN_SSL_COMPAT, qc);
-       if (!write_p)
+       if (!write_p || !qc)
                goto leave;
 
-       level = qc->openssl_compat.write_level;
+       TRACE_ENTER(QUIC_EV_CONN_SSL_COMPAT, qc);
+
+       com = &qc->openssl_compat;
+       level = com->write_level;
        switch (content_type) {
        case SSL3_RT_HANDSHAKE:
                com->method->add_handshake_data(ssl, level, buf, len);
@@ -399,7 +402,6 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
                goto err;
 
        SSL_set_bio(ssl, rbio, wbio);
-       SSL_set_msg_callback(ssl, quic_tls_compat_msg_callback);
        /* No ealy data support */
        SSL_set_max_early_data(ssl, 0);
 

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 986a2328692e69c361bd96f504be4b7642dd61f0..7e20d19029962adee394905868a07c450495d594 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -63,10 +63,11 @@
 #include <haproxy/pattern-t.h>
 #include <haproxy/proto_tcp.h>
 #include <haproxy/proxy.h>
-#include <haproxy/sample.h>
-#include <haproxy/sc_strm.h>
 #include <haproxy/quic_conn.h>
+#include <haproxy/quic_openssl_compat.h>
 #include <haproxy/quic_tp.h>
+#include <haproxy/sample.h>
+#include <haproxy/sc_strm.h>
 #include <haproxy/server.h>
 #include <haproxy/shctx.h>
 #include <haproxy/ssl_ckch.h>
@@ -609,6 +610,10 @@ static int ssl_sock_register_msg_callbacks(void)
                        return ERR_ABORT;
        }
 #endif
+#ifdef USE_QUIC_OPENSSL_COMPAT
+       if (!ssl_sock_register_msg_callback(quic_tls_compat_msg_callback))
+               return ERR_ABORT;
+#endif
 
        return ERR_NONE;
 }