BUG/MINOR: quic: Missing call to TLS message callbacks

This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT).

The TLS capture of information from client hello enabled by
tune.ssl.capture-buffer-size could not work with USE_QUIC_OPENSSL_COMPAT. This
is due to the fact the callback set for this feature was replaced by
quic_tls_compat_msg_callback(). In fact this called must be registered by
ssl_sock_register_msg_callback() as this done for the TLS client hello capture.
A call to this function appends the function passed as parameter to a list of
callbacks to be called when the TLS stack parse a TLS message.
quic_tls_compat_msg_callback() had to be modified to return if it is called
for a non-QUIC TLS session.

Must be backported to 2.8.

include/haproxy/quic_openssl_compat.h

@@ -15,6 +15,9 @@
 #define QUIC_OPENSSL_COMPAT_CLIENT_APPLICATION   "CLIENT_TRAFFIC_SECRET_0"
 #define QUIC_OPENSSL_COMPAT_SERVER_APPLICATION   "SERVER_TRAFFIC_SECRET_0"
 
+void quic_tls_compat_msg_callback(struct connection *conn,
+                                  int write_p, int version, int content_type,
+                                  const void *buf, size_t len, SSL *ssl);
 int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx);
 void quic_tls_compat_keylog_callback(const SSL *ssl, const char *line);
 

src/quic_openssl_compat.c

@@ -353,19 +353,22 @@ static int quic_tls_compat_create_record(struct quic_conn *qc,
 }
 
 /* Callback use to parse TLS messages for <ssl> TLS session. */
-static void quic_tls_compat_msg_callback(int write_p, int version, int content_type,
+void quic_tls_compat_msg_callback(struct connection *conn,
-                                         const void *buf, size_t len, SSL *ssl, void *arg)
+                                  int write_p, int version, int content_type,
+                                  const void *buf, size_t len, SSL *ssl)
 {
 	unsigned int alert;
 	enum ssl_encryption_level_t   level;
 	struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
-	struct quic_openssl_compat *com = &qc->openssl_compat;
+	struct quic_openssl_compat *com;
 
-	TRACE_ENTER(QUIC_EV_CONN_SSL_COMPAT, qc);
+	if (!write_p || !qc)
-	if (!write_p)
 		goto leave;
 
-	level = qc->openssl_compat.write_level;
+	TRACE_ENTER(QUIC_EV_CONN_SSL_COMPAT, qc);
+
+	com = &qc->openssl_compat;
+	level = com->write_level;
 	switch (content_type) {
 	case SSL3_RT_HANDSHAKE:
 		com->method->add_handshake_data(ssl, level, buf, len);
@@ -399,7 +402,6 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
 		goto err;
 
 	SSL_set_bio(ssl, rbio, wbio);
-	SSL_set_msg_callback(ssl, quic_tls_compat_msg_callback);
 	/* No ealy data support */
 	SSL_set_max_early_data(ssl, 0);
 

src/ssl_sock.c

@@ -63,10 +63,11 @@
 #include <haproxy/pattern-t.h>
 #include <haproxy/proto_tcp.h>
 #include <haproxy/proxy.h>
+#include <haproxy/quic_conn.h>
+#include <haproxy/quic_openssl_compat.h>
+#include <haproxy/quic_tp.h>
 #include <haproxy/sample.h>
 #include <haproxy/sc_strm.h>
-#include <haproxy/quic_conn.h>
-#include <haproxy/quic_tp.h>
 #include <haproxy/server.h>
 #include <haproxy/shctx.h>
 #include <haproxy/ssl_ckch.h>
@@ -609,6 +610,10 @@ static int ssl_sock_register_msg_callbacks(void)
 			return ERR_ABORT;
 	}
 #endif
+#ifdef USE_QUIC_OPENSSL_COMPAT
+	if (!ssl_sock_register_msg_callback(quic_tls_compat_msg_callback))
+		return ERR_ABORT;
+#endif
 
 	return ERR_NONE;
 }