From: Frédéric Lécaille Date: Thu, 21 Dec 2023 15:11:35 +0000 (+0100) Subject: BUG/MINOR: quic: Missing call to TLS message callbacks X-Git-Tag: v3.0-dev1~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=10e96fcd177e858284252d413aaf16af06474beb;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: Missing call to TLS message callbacks This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT). The TLS capture of information from client hello enabled by tune.ssl.capture-buffer-size could not work with USE_QUIC_OPENSSL_COMPAT. This is due to the fact the callback set for this feature was replaced by quic_tls_compat_msg_callback(). In fact this called must be registered by ssl_sock_register_msg_callback() as this done for the TLS client hello capture. A call to this function appends the function passed as parameter to a list of callbacks to be called when the TLS stack parse a TLS message. quic_tls_compat_msg_callback() had to be modified to return if it is called for a non-QUIC TLS session. Must be backported to 2.8. --- diff --git a/include/haproxy/quic_openssl_compat.h b/include/haproxy/quic_openssl_compat.h index 0d4c3ee67c..837a28d53a 100644 --- a/include/haproxy/quic_openssl_compat.h +++ b/include/haproxy/quic_openssl_compat.h @@ -15,6 +15,9 @@ #define QUIC_OPENSSL_COMPAT_CLIENT_APPLICATION "CLIENT_TRAFFIC_SECRET_0" #define QUIC_OPENSSL_COMPAT_SERVER_APPLICATION "SERVER_TRAFFIC_SECRET_0" +void quic_tls_compat_msg_callback(struct connection *conn, + int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl); int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx); void quic_tls_compat_keylog_callback(const SSL *ssl, const char *line); diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c index efd9b15008..2a8f83dc4f 100644 --- a/src/quic_openssl_compat.c +++ b/src/quic_openssl_compat.c @@ -353,19 +353,22 @@ leave: } /* Callback use to parse TLS messages for TLS session. */ -static void quic_tls_compat_msg_callback(int write_p, int version, int content_type, - const void *buf, size_t len, SSL *ssl, void *arg) +void quic_tls_compat_msg_callback(struct connection *conn, + int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl) { unsigned int alert; enum ssl_encryption_level_t level; struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index); - struct quic_openssl_compat *com = &qc->openssl_compat; + struct quic_openssl_compat *com; - TRACE_ENTER(QUIC_EV_CONN_SSL_COMPAT, qc); - if (!write_p) + if (!write_p || !qc) goto leave; - level = qc->openssl_compat.write_level; + TRACE_ENTER(QUIC_EV_CONN_SSL_COMPAT, qc); + + com = &qc->openssl_compat; + level = com->write_level; switch (content_type) { case SSL3_RT_HANDSHAKE: com->method->add_handshake_data(ssl, level, buf, len); @@ -399,7 +402,6 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) goto err; SSL_set_bio(ssl, rbio, wbio); - SSL_set_msg_callback(ssl, quic_tls_compat_msg_callback); /* No ealy data support */ SSL_set_max_early_data(ssl, 0); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 986a232869..7e20d19029 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -63,10 +63,11 @@ #include #include #include -#include -#include #include +#include #include +#include +#include #include #include #include @@ -609,6 +610,10 @@ static int ssl_sock_register_msg_callbacks(void) return ERR_ABORT; } #endif +#ifdef USE_QUIC_OPENSSL_COMPAT + if (!ssl_sock_register_msg_callback(quic_tls_compat_msg_callback)) + return ERR_ABORT; +#endif return ERR_NONE; }