BUG/MINOR: quic: adjust quic_tls prototypes

Two prototypes in quic_tls module were not identical to the actual
function definition.

* quic_tls_decrypt2() : the second argument const attribute is not
  present, to be able to use it with EVP_CIPHER_CTX_ctlr(). As a
  consequence of this change, token field of quic_rx_packet is now
  declared as non-const.

* quic_tls_generate_retry_integrity_tag() : the second argument type
  differ between the two. Adjust this by fixing it to as unsigned char
  to match EVP_EncryptUpdate() SSL function.

This situation did not seem to have any visible effect. However, this is
clearly an undefined behavior and should be treated as a bug.

This should be backported up to 2.6.

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index dc2651f8b9819d67f5f0b187c19ca461e790bc6c..40458961e4e7989f17a154b8ef0ac4bd47db39a6 100644 (file)
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -50,7 +50,7 @@ int quic_tls_encrypt(unsigned char *buf, size_t len,
                      const unsigned char *key, const unsigned char *iv);
 
 int quic_tls_decrypt2(unsigned char *out,
-                      const unsigned char *in, size_t ilen,
+                      unsigned char *in, size_t ilen,
                       unsigned char *aad, size_t aad_len,
                       EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead,
                       const unsigned char *key, const unsigned char *iv);
@@ -60,7 +60,7 @@ int quic_tls_decrypt(unsigned char *buf, size_t len,
                      EVP_CIPHER_CTX *tls_ctx, const EVP_CIPHER *aead,
                      const unsigned char *key, const unsigned char *iv);
 
-int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, size_t odcid_len,
+int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, unsigned char odcid_len,
                                           unsigned char *buf, size_t len,
                                           const struct quic_version *qv);
 

diff --git a/include/haproxy/xprt_quic-t.h b/include/haproxy/xprt_quic-t.h
index 9af3cc6b077ea7f89f457c275a133653db982ebd..e7aefea8a21b43c3c617fff9676b84f3b508a15b 100644 (file)
--- a/include/haproxy/xprt_quic-t.h
+++ b/include/haproxy/xprt_quic-t.h
@@ -403,7 +403,7 @@ struct quic_rx_packet {
        /* Packet number length */
        uint32_t pnl;
        uint64_t token_len;
-       const unsigned char *token;
+       unsigned char *token;
        /* Packet length */
        uint64_t len;
        /* Packet length before decryption */

diff --git a/src/quic_tls.c b/src/quic_tls.c
index 14b7e169876b6499261a2a0b8f3e8261d092ca3c..28c7d755f8ba160625646f794a1df5bd04abd854 100644 (file)
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -1,3 +1,5 @@
+#include <haproxy/quic_tls.h>
+
 #include <string.h>
 
 #include <openssl/ssl.h>

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index 042bd17aec4b391732e46cf25618fa2c0a428468..072fa3c134af69048019c9dc4748dab1985ebb24 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -5433,7 +5433,7 @@ static int quic_generate_retry_token(unsigned char *buf, size_t len,
  * of client source connection ID.
  * Return 1 if succeeded, 0 if not.
  */
-static int quic_retry_token_check(const unsigned char *token, size_t tokenlen,
+static int quic_retry_token_check(unsigned char *token, size_t tokenlen,
                                   const struct quic_version *qv,
                                   struct quic_cid *odcid,
                                   const struct quic_cid *dcid,