mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-12 00:36:09 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic: do not set conn member if ssl_sock_ctx

Browse Source 
ssl_sock_ctx is a generic object used both on TCP/SSL and QUIC stacks.
Most notably it contains a <conn> member which is a pointer to struct
connection.

On QUIC frontend side, this member is always set to NULL. Indeed,
connection is only created after handshake completion. However, this has
changed for backend side, where the connection is instantiated prior to
its quic_conn counterpart. Thus, ssl_sock_ctx member would be set in
this case as a convenience for use later in qc_ssl_do_hanshake().

However, this method was unsafe as the connection can be released,
without resetting ssl_sock_ctx member. Thus, the previous patch fixes
this by using on <conn> member through the quic_conn instance which is
the proper way.

Thus, this patch resets ssl_sock_ctx <conn> member to NULL. This is
deemed the cleanest method as it ensures that both frontend and backend
sides must not use it anymore.
This commit is contained in:
Amaury Denoyelle 2025-11-04 17:28:56 +01:00
parent 69de7ec14e
commit 5a17cade4f
3 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/quic_ssl.h
View File

@ -35,7 +35,7 @@
int ssl_quic_initial_ctx(struct bind_conf *bind_conf);
SSL_CTX *ssl_quic_srv_new_ssl_ctx(void);
int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn);
int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target);
int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx);

2
src/quic_conn.c
View File

@ -1359,7 +1359,7 @@ struct quic_conn *qc_new_conn(const struct quic_version *qv, int ipv4,
qc->wait_event.events = 0;
qc->subs = NULL;
if (qc_alloc_ssl_sock_ctx(qc, conn) ||
if (qc_alloc_ssl_sock_ctx(qc, target) ||
!quic_conn_init_timer(qc) ||
!quic_conn_init_idle_timer_task(qc, prx))
goto err;

20
src/quic_ssl.c
View File

@ -1183,7 +1183,7 @@ static int quic_ssl_set_tls_cbs(SSL *ssl)
* CO_ER_SSL_NO_MEM.
*/
static int qc_ssl_sess_init(struct quic_conn *qc, SSL_CTX *ssl_ctx, SSL **ssl,
struct connection *conn, int server)
int server)
{
int retry, ret = -1;
@ -1263,10 +1263,12 @@ static int qc_set_quic_early_data_enabled(struct quic_conn *qc, SSL *ssl)
*
* Returns 0 on success else non-zero.
*/
int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target)
{
int ret = 0;
struct ssl_sock_ctx *ctx = NULL;
struct bind_conf *bc;
struct server *srv;
int ret = 0;
TRACE_ENTER(QUIC_EV_CONN_NEW, qc);
@ -1276,7 +1278,7 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
goto err;
}
ctx->conn = conn;
ctx->conn = NULL;
ctx->bio = NULL;
ctx->xprt = NULL;
ctx->xprt_ctx = NULL;
@ -1289,9 +1291,8 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
ctx->qc = qc;
if (!qc_is_back(qc)) {
struct bind_conf *bc = qc->li->bind_conf;
if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl, NULL, 1) == -1)
bc = __objt_listener(target)->bind_conf;
if (qc_ssl_sess_init(qc, bc->initial_ctx, &ctx->ssl, 1) == -1)
goto err;
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
/* Enabling 0-RTT */
@ -1302,9 +1303,8 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
SSL_set_accept_state(ctx->ssl);
}
else {
struct server *srv = __objt_server(ctx->conn->target);
if (qc_ssl_sess_init(qc, srv->ssl_ctx.ctx, &ctx->ssl, conn, 0) == -1)
srv = __objt_server(target);
if (qc_ssl_sess_init(qc, srv->ssl_ctx.ctx, &ctx->ssl, 0) == -1)
goto err;
if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))