]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fc90964)
MINOR: quic-be: Missing callbacks initializations (USE_QUIC_OPENSSL_COMPAT)
authorFrederic Lecaille <flecaille@haproxy.com>
Wed, 28 May 2025 13:58:44 +0000 (15:58 +0200)
committerAmaury Denoyelle <adenoyelle@haproxy.com>
Wed, 11 Jun 2025 16:37:34 +0000 (18:37 +0200)
quic_tls_compat_init() function is called from OpenSSL QUIC compatibility module
(USE_QUIC_OPENSSL_COMPAT) to initialize the keylog callback and the callback
which stores the QUIC transport parameters as a TLS extensions into the stack.
These callbacks must also be initialized for QUIC backends.

src/quic_openssl_compat.c patch | blob | blame | history
src/quic_ssl.c patch | blob | blame | history

diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c
index d914ac4d0dc0751cb98d9e031261932ec744a352..2f36c68d61846e194d662776dfad76e1d867bc96 100644 (file)
--- a/src/quic_openssl_compat.c
+++ b/src/quic_openssl_compat.c
@@ -58,7 +58,7 @@ static int qc_ssl_compat_add_tps_cb(SSL *ssl, unsigned int ext_type, unsigned in
 int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx)
 {
        /* Ignore non-QUIC connections */
-       if (bind_conf->xprt != xprt_get(XPRT_QUIC))
+       if (bind_conf && bind_conf->xprt != xprt_get(XPRT_QUIC))
                return 1;
 
        /* This callback is already registered if the TLS keylog is activated for
diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 811b785027b6688a691670066c364e663afffc9f..695ddf7b5117595d97f4e0ddef9c3dc70e930520 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -773,7 +773,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
  */
 SSL_CTX *ssl_quic_srv_new_ssl_ctx(void)
 {
-       SSL_CTX *ctx;
+       SSL_CTX *ctx = NULL;
        /* XXX TODO: check this: XXX */
        long options =
                (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
@@ -791,10 +791,19 @@ SSL_CTX *ssl_quic_srv_new_ssl_ctx(void)
        SSL_CTX_set_options(ctx, options);
        SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
        SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+#ifdef USE_QUIC_OPENSSL_COMPAT
+       if (!quic_tls_compat_init(NULL, ctx))
+               goto err;
+#endif
 
  leave:
        TRACE_LEAVE(QUIC_EV_CONN_NEW);
        return ctx;
+ err:
+       SSL_CTX_free(ctx);
+       ctx = NULL;
+       TRACE_DEVEL("leaving on error", QUIC_EV_CONN_NEW);
+       goto leave;
 }
 
 /* This function gives the detail of the SSL error. It is used only
Mirror of https://github.com/haproxy/haproxy.git