From: Frederic Lecaille Date: Mon, 18 Dec 2023 16:06:40 +0000 (+0100) Subject: MINOR: quic-be: Add a function for the TLS context allocations X-Git-Tag: v3.3-dev2~105 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1e45690656fc1ec0173c44f1631d808e452c4a1b;p=thirdparty%2Fhaproxy.git MINOR: quic-be: Add a function for the TLS context allocations Implement ssl_quic_srv_new_ssl_ctx() whose aim is to allocate a TLS context for QUIC servers. --- diff --git a/include/haproxy/quic_ssl.h b/include/haproxy/quic_ssl.h index 504d7f03a..1d4bd590c 100644 --- a/include/haproxy/quic_ssl.h +++ b/include/haproxy/quic_ssl.h @@ -34,6 +34,7 @@ #include int ssl_quic_initial_ctx(struct bind_conf *bind_conf); +SSL_CTX *ssl_quic_srv_new_ssl_ctx(void); int qc_alloc_ssl_sock_ctx(struct quic_conn *qc); int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx); int quic_ssl_set_tls_cbs(SSL *ssl); diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 4b2cede18..21fe16255 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -754,6 +754,35 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) return cfgerr; } +/* Allocate a TLS context for a QUIC server. + * Return this context if succeeded, NULL if failed. + */ +SSL_CTX *ssl_quic_srv_new_ssl_ctx(void) +{ + SSL_CTX *ctx; + /* XXX TODO: check this: XXX */ + long options = + (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | + SSL_OP_SINGLE_ECDH_USE | + SSL_OP_CIPHER_SERVER_PREFERENCE; + + TRACE_ENTER(QUIC_EV_CONN_NEW); + + ctx = SSL_CTX_new(TLS_client_method()); + if (!ctx) { + TRACE_ERROR("Could not allocate a new TLS context", QUIC_EV_CONN_NEW); + goto leave; + } + + SSL_CTX_set_options(ctx, options); + SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); + + leave: + TRACE_LEAVE(QUIC_EV_CONN_NEW); + return ctx; +} + /* This function gives the detail of the SSL error. It is used only * if the debug mode and the verbose mode are activated. It dump all * the SSL error until the stack was empty.