BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5)

Revert this patch which is no more useful since OpenSSL 3.5.1 to remove the
QUIC server callback restoration after SSL context switch:

    MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters reset

It was required for 3.5.0. That said, there was no CI for OpenSSL 3.5 at the date
of this commit. The CI recently revealed that the QUIC server side could crash
during QUIC reg tests just after having restored the callbacks as implemented by
the commit above.

Also revert this commit which is no more useful because it arrived with the commit
above:

	BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.

Must be backported to 3.2.

diff --git a/include/haproxy/quic_ssl.h b/include/haproxy/quic_ssl.h
index 485abfa668d6aba9f450ce88c24982ab7a8ff90f..d19020213e6e1fa8a666f221cfec763b41ca6137 100644 (file)
--- a/include/haproxy/quic_ssl.h
+++ b/include/haproxy/quic_ssl.h
@@ -37,7 +37,6 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf);
 SSL_CTX *ssl_quic_srv_new_ssl_ctx(void);
 int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn);
 int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
-int quic_ssl_set_tls_cbs(SSL *ssl);
 
 static inline void qc_free_ssl_sock_ctx(struct ssl_sock_ctx **ctx)
 {

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 3cb76275328bb917736be6a8e45b27be6e4ca174..af620efbef4df3ee98961b901bd00338b25aac39 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1121,14 +1121,8 @@ int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx)
 }
 
 /* Simple helper to set the specifig OpenSSL/quictls QUIC API callbacks */
-int quic_ssl_set_tls_cbs(SSL *ssl)
+static int quic_ssl_set_tls_cbs(SSL *ssl)
 {
-       struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
-
-       /* Ignore the TCP connections */
-       if (!qc)
-               return 1;
-
 #ifdef HAVE_OPENSSL_QUIC
        return SSL_set_quic_tls_cbs(ssl, ha_quic_dispatch, NULL);
 #else

diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index 747e74f9163f04199ef5a37272bbd23b04b4a637..9f7ec16d94c00b6ed139130569de01f16f066f65 100644 (file)
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -29,9 +29,6 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
        SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk);
        SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx)));
        SSL_set_SSL_CTX(ssl, ctx);
-#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
-       quic_ssl_set_tls_cbs(ssl);
-#endif
 }
 
 /*

diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c
index 375eb4883eca79ba98616ebe4713ae6dbd8ba7ec..1fb84784f991facf02ba6e15117be87b0d0729a3 100644 (file)
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@@ -285,12 +285,8 @@ SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind
                HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
                lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_ckch->cert, 0);
                if (lru && lru->domain) {
-                       if (ssl) {
+                       if (ssl)
                                SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data);
-#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
-                               quic_ssl_set_tls_cbs(ssl);
-#endif
-                       }
                        HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
                        return (SSL_CTX *)lru->data;
                }
@@ -359,18 +355,12 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
                        lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
                }
                SSL_set_SSL_CTX(ssl, ssl_ctx);
-#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
-               quic_ssl_set_tls_cbs(ssl);
-#endif
                HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
                return 1;
        }
        else {
                ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
                SSL_set_SSL_CTX(ssl, ssl_ctx);
-#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
-               quic_ssl_set_tls_cbs(ssl);
-#endif
                /* No LRU cache, this CTX will be released as soon as the session dies */
                SSL_CTX_free(ssl_ctx);
                return 1;