From f3c40f83fbfc6fb60ba5608ccfbd00fb51e6f9b3 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Fri, 30 Sep 2022 17:37:38 +0200 Subject: [PATCH] BUG/MINOR: quic: adjust quic_tls prototypes Two prototypes in quic_tls module were not identical to the actual function definition. * quic_tls_decrypt2() : the second argument const attribute is not present, to be able to use it with EVP_CIPHER_CTX_ctlr(). As a consequence of this change, token field of quic_rx_packet is now declared as non-const. * quic_tls_generate_retry_integrity_tag() : the second argument type differ between the two. Adjust this by fixing it to as unsigned char to match EVP_EncryptUpdate() SSL function. This situation did not seem to have any visible effect. However, this is clearly an undefined behavior and should be treated as a bug. This should be backported up to 2.6. --- include/haproxy/quic_tls.h | 4 ++-- include/haproxy/xprt_quic-t.h | 2 +- src/quic_tls.c | 2 ++ src/xprt_quic.c | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index dc2651f8b..40458961e 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -50,7 +50,7 @@ int quic_tls_encrypt(unsigned char *buf, size_t len, const unsigned char *key, const unsigned char *iv); int quic_tls_decrypt2(unsigned char *out, - const unsigned char *in, size_t ilen, + unsigned char *in, size_t ilen, unsigned char *aad, size_t aad_len, EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv); @@ -60,7 +60,7 @@ int quic_tls_decrypt(unsigned char *buf, size_t len, EVP_CIPHER_CTX *tls_ctx, const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv); -int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, size_t odcid_len, +int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, unsigned char odcid_len, unsigned char *buf, size_t len, const struct quic_version *qv); diff --git a/include/haproxy/xprt_quic-t.h b/include/haproxy/xprt_quic-t.h index 9af3cc6b0..e7aefea8a 100644 --- a/include/haproxy/xprt_quic-t.h +++ b/include/haproxy/xprt_quic-t.h @@ -403,7 +403,7 @@ struct quic_rx_packet { /* Packet number length */ uint32_t pnl; uint64_t token_len; - const unsigned char *token; + unsigned char *token; /* Packet length */ uint64_t len; /* Packet length before decryption */ diff --git a/src/quic_tls.c b/src/quic_tls.c index 14b7e1698..28c7d755f 100644 --- a/src/quic_tls.c +++ b/src/quic_tls.c @@ -1,3 +1,5 @@ +#include + #include #include diff --git a/src/xprt_quic.c b/src/xprt_quic.c index 042bd17ae..072fa3c13 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -5433,7 +5433,7 @@ static int quic_generate_retry_token(unsigned char *buf, size_t len, * of client source connection ID. * Return 1 if succeeded, 0 if not. */ -static int quic_retry_token_check(const unsigned char *token, size_t tokenlen, +static int quic_retry_token_check(unsigned char *token, size_t tokenlen, const struct quic_version *qv, struct quic_cid *odcid, const struct quic_cid *dcid,