MINOR: quic-be: ssl_sock contexts allocation and misc adaptations

author Frederic Lecaille <flecaille@haproxy.com>

Mon, 18 Dec 2023 16:26:01 +0000 (17:26 +0100)

committer Amaury Denoyelle <adenoyelle@haproxy.com>

Wed, 11 Jun 2025 16:37:34 +0000 (18:37 +0200)
author Frederic Lecaille <flecaille@haproxy.com>
Mon, 18 Dec 2023 16:26:01 +0000 (17:26 +0100)
committer Amaury Denoyelle <adenoyelle@haproxy.com>
Wed, 11 Jun 2025 16:37:34 +0000 (18:37 +0200)
diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h

index 19ebac556d1c27ea2b539f310a410efe25b3d242..843b6db00a89da8d3ba9c6c16b1534e1eb3cd017 100644 (file)
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -62,7 +62,7 @@ struct ckch_inst *ckch_inst_new();
  int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct bind_conf *bind_conf,
                               struct ssl_bind_conf *ssl_conf, char **sni_filter, int fcount, int is_default, struct ckch_inst **ckchi, char **err);
  int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
-                                 struct ckch_inst **ckchi, char **err);
+                                 struct ckch_inst **ckchi, char **err, int is_quic);
  int ckch_inst_rebuild(struct ckch_store *ckch_store, struct ckch_inst *ckchi,
                        struct ckch_inst **new_inst, char **err);
  
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c

index 57f1c3e91eea2d3ad91eed01fed2f252a077bb3f..9157421b4b9759f36bad5afb49487851f1542d79 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -2601,8 +2601,9 @@ int ckch_inst_rebuild(struct ckch_store *ckch_store, struct ckch_inst *ckchi,
                 fcount = ckchi->crtlist_entry->fcount;
         }
  
-       if (ckchi->is_server_instance)
-               errcode |= ckch_inst_new_load_srv_store(ckch_store->path, ckch_store, new_inst, err);
+       if (ckchi->is_server_instance) {
+               errcode |= ckch_inst_new_load_srv_store(ckch_store->path, ckch_store, new_inst, err, srv_is_quic(ckchi->server));
+       }
         else
                 errcode |= ckch_inst_new_load_store(ckch_store->path, ckch_store, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, ckchi->is_default, new_inst, err);
  
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index 1a953606e56711836eb5fbd518c6bcea99e8ff1a..663a14da42a0770bbb4ae403495e32935bf6c241 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -65,6 +65,7 @@
  #include <haproxy/proxy.h>
  #include <haproxy/quic_conn.h>
  #include <haproxy/quic_openssl_compat.h>
+#include <haproxy/quic_ssl.h>
  #include <haproxy/quic_tp.h>
  #include <haproxy/sample.h>
  #include <haproxy/sc_strm.h>
@@ -3039,6 +3040,20 @@ error:
         return errcode;
  }
  
+#ifdef USE_QUIC
+static inline SSL_CTX *ssl_sock_new_ssl_ctx(int is_quic)
+{
+       if (is_quic)
+               return ssl_quic_srv_new_ssl_ctx();
+       else
+               return SSL_CTX_new(SSLv23_client_method());
+}
+#else
+static inline SSL_CTX *ssl_sock_new_ssl_ctx(int is_quic)
+{
+       return SSL_CTX_new(SSLv23_client_method());
+}
+#endif
  
  /*
   * This function allocate a ckch_inst that will be used on the backend side
@@ -3050,7 +3065,7 @@ error:
   *     ERR_WARN if a warning is available into err
   */
  int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
-                                struct ckch_inst **ckchi, char **err)
+                                struct ckch_inst **ckchi, char **err, int is_quic)
  {
         SSL_CTX *ctx;
         struct ckch_data *data;
@@ -3064,7 +3079,7 @@ int ckch_inst_new_load_srv_store(const char *path, struct ckch_store *ckchs,
  
         data = ckchs->data;
  
-       ctx = SSL_CTX_new(SSLv23_client_method());
+       ctx = ssl_sock_new_ssl_ctx(is_quic);
         if (!ctx) {
                 memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
                           err && *err ? *err : "", path);
@@ -3135,7 +3150,8 @@ static int ssl_sock_load_srv_ckchs(const char *path, struct ckch_store *ckchs,
         int errcode = 0;
  
         /* we found the ckchs in the tree, we can use it directly */
-       errcode |= ckch_inst_new_load_srv_store(path, ckchs, ckch_inst, err);
+       errcode |= ckch_inst_new_load_srv_store(path, ckchs, ckch_inst, err,
+                                               srv_is_quic(server));
  
         if (errcode & ERR_CODE)
                 return errcode;
@@ -4427,7 +4443,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
         /* The context will be uninitialized if there wasn't any "cert" option
          * in the server line. */
         if (!ctx) {
-               ctx = SSL_CTX_new(SSLv23_client_method());
+               ctx = ssl_sock_new_ssl_ctx(srv_is_quic(srv));
                 if (!ctx) {
                         ha_alert("unable to allocate ssl context.\n");
                         cfgerr++;
author	Frederic Lecaille <flecaille@haproxy.com>
	Mon, 18 Dec 2023 16:26:01 +0000 (17:26 +0100)
committer	Amaury Denoyelle <adenoyelle@haproxy.com>
	Wed, 11 Jun 2025 16:37:34 +0000 (18:37 +0200)
include/haproxy/ssl_ckch.h		patch \| blob \| blame \| history
src/ssl_ckch.c		patch \| blob \| blame \| history
src/ssl_sock.c		patch \| blob \| blame \| history