MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters...

A QUIC must sent its transport parameter using a TLS custom extention. This
extension is reset by SSL_set_SSL_CTX(). It can be restored calling
quic_ssl_set_tls_cbs() (which calls SSL_set_quic_tls_cbs()).

diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index 4f939440cecea73083d2f47de008f29b3faa3aee..1ee13bae1eda8273a503cf4984f820d3ab1b73c6 100644 (file)
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -16,6 +16,7 @@
 #include <haproxy/proto_tcp.h>
 #include <haproxy/quic_conn.h>
 #include <haproxy/quic_openssl_compat.h>
+#include <haproxy/quic_ssl.h>
 #include <haproxy/quic_tp.h>
 #include <haproxy/ssl_ckch.h>
 #include <haproxy/ssl_gencert.h>
@@ -28,6 +29,9 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
        SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk);
        SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx)));
        SSL_set_SSL_CTX(ssl, ctx);
+#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
+       quic_ssl_set_tls_cbs(ssl);
+#endif
 }
 
 /*

diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c
index 551331644719c3b436a820b7075d4de724b9d63b..375eb4883eca79ba98616ebe4713ae6dbd8ba7ec 100644 (file)
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@@ -12,6 +12,7 @@
 
 #include <haproxy/errors.h>
 #include <haproxy/openssl-compat.h>
+#include <haproxy/quic_ssl.h>
 #include <haproxy/ssl_ckch.h>
 #include <haproxy/ssl_sock.h>
 #include <haproxy/xxhash.h>
@@ -284,8 +285,12 @@ SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind
                HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
                lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_ckch->cert, 0);
                if (lru && lru->domain) {
-                       if (ssl)
+                       if (ssl) {
                                SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data);
+#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
+                               quic_ssl_set_tls_cbs(ssl);
+#endif
+                       }
                        HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
                        return (SSL_CTX *)lru->data;
                }
@@ -354,12 +359,18 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
                        lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
                }
                SSL_set_SSL_CTX(ssl, ssl_ctx);
+#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
+               quic_ssl_set_tls_cbs(ssl);
+#endif
                HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
                return 1;
        }
        else {
                ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
                SSL_set_SSL_CTX(ssl, ssl_ctx);
+#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
+               quic_ssl_set_tls_cbs(ssl);
+#endif
                /* No LRU cache, this CTX will be released as soon as the session dies */
                SSL_CTX_free(ssl_ctx);
                return 1;