From: Frederic Lecaille Date: Wed, 9 Jul 2025 09:43:02 +0000 (+0200) Subject: BUG/MINOR: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=494346e0b7a837e62001aacb9803830e700e5eae;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5) Revert this patch which is no more useful since OpenSSL 3.5.1 to remove the QUIC server callback restoration after SSL context switch: MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters reset It was required for 3.5.0. That said, there was no CI for OpenSSL 3.5 at the date of this commit. The CI recently revealed that the QUIC server side could crash during QUIC reg tests just after having restored the callbacks as implemented by the commit above. Also revert this commit which is no more useful because it arrived with the commit above: BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3. Must be backported to 3.2. --- diff --git a/include/haproxy/quic_ssl.h b/include/haproxy/quic_ssl.h index 485abfa66..d19020213 100644 --- a/include/haproxy/quic_ssl.h +++ b/include/haproxy/quic_ssl.h @@ -37,7 +37,6 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf); SSL_CTX *ssl_quic_srv_new_ssl_ctx(void); int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn); int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx); -int quic_ssl_set_tls_cbs(SSL *ssl); static inline void qc_free_ssl_sock_ctx(struct ssl_sock_ctx **ctx) { diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 3cb762753..af620efbe 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -1121,14 +1121,8 @@ int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx) } /* Simple helper to set the specifig OpenSSL/quictls QUIC API callbacks */ -int quic_ssl_set_tls_cbs(SSL *ssl) +static int quic_ssl_set_tls_cbs(SSL *ssl) { - struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index); - - /* Ignore the TCP connections */ - if (!qc) - return 1; - #ifdef HAVE_OPENSSL_QUIC return SSL_set_quic_tls_cbs(ssl, ha_quic_dispatch, NULL); #else diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c index 747e74f91..9f7ec16d9 100644 --- a/src/ssl_clienthello.c +++ b/src/ssl_clienthello.c @@ -29,9 +29,6 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk); SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx))); SSL_set_SSL_CTX(ssl, ctx); -#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC) - quic_ssl_set_tls_cbs(ssl); -#endif } /* diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index 375eb4883..1fb84784f 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -285,12 +285,8 @@ SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_ckch->cert, 0); if (lru && lru->domain) { - if (ssl) { + if (ssl) SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data); -#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC) - quic_ssl_set_tls_cbs(ssl); -#endif - } HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); return (SSL_CTX *)lru->data; } @@ -359,18 +355,12 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free); } SSL_set_SSL_CTX(ssl, ssl_ctx); -#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC) - quic_ssl_set_tls_cbs(ssl); -#endif HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock); return 1; } else { ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); SSL_set_SSL_CTX(ssl, ssl_ctx); -#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC) - quic_ssl_set_tls_cbs(ssl); -#endif /* No LRU cache, this CTX will be released as soon as the session dies */ SSL_CTX_free(ssl_ctx); return 1;