BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on QUIC bind lines

ssl_tlsext_ticket_key_cb() is called when "tls-ticket-keys" option is used on a
"bind" line. It needs to have an access to the TLS ticket keys which have been
stored into the listener bind_conf struct. The fix consists in nitializing the
<ref> variable (references to TLS secret keys) the correct way when this callback
is called for a QUIC connection. The bind_conf struct is store into the quic_conn
object (QUIC connection).

This issue may be in relation with GH #1851. Thank you for @tasavis for the report.

Must be backported to 2.6.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 02b369a7902121a783370740e1b3fc64e3449b2a..0edad3b0824b9b80e29506ec3ddcec27fbb2ae84 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1154,15 +1154,28 @@ static int ssl_hmac_init(MAC_CTX *hctx, unsigned char *key, int key_len, const E
 
 static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, MAC_CTX *hctx, int enc)
 {
-       struct tls_keys_ref *ref;
+       struct tls_keys_ref *ref = NULL;
        union tls_sess_key *keys;
-       struct connection *conn;
        int head;
        int i;
        int ret = -1; /* error by default */
+       struct connection *conn = SSL_get_ex_data(s, ssl_app_data_index);
+#ifdef USE_QUIC
+       struct quic_conn *qc = SSL_get_ex_data(s, ssl_qc_app_data_index);
+#endif
+
+       if (conn)
+               ref  = __objt_listener(conn->target)->bind_conf->keys_ref;
+#ifdef USE_QUIC
+       else if (qc)
+               ref =  qc->li->bind_conf->keys_ref;
+#endif
+
+       if (!ref) {
+               /* must never happen */
+               ABORT_NOW();
+       }
 
-       conn = SSL_get_ex_data(s, ssl_app_data_index);
-       ref  = __objt_listener(conn->target)->bind_conf->keys_ref;
        HA_RWLOCK_RDLOCK(TLSKEYS_REF_LOCK, &ref->lock);
 
        keys = ref->tlskeys;