BUG/MINOR: quic: adjust quic_tls prototypes

Two prototypes in quic_tls module were not identical to the actual function definition. * quic_tls_decrypt2() : the second argument const attribute is not present, to be able to use it with EVP_CIPHER_CTX_ctlr(). As a consequence of this change, token field of quic_rx_packet is now declared as non-const. * quic_tls_generate_retry_integrity_tag() : the second argument type differ between the two. Adjust this by fixing it to as unsigned char to match EVP_EncryptUpdate() SSL function. This situation did not seem to have any visible effect. However, this is clearly an undefined behavior and should be treated as a bug. This should be backported up to 2.6.
2025-08-07 15:47:01 +02:00 · 2022-09-30 17:37:38 +02:00 · 2022-09-30 17:37:38 +02:00 · f3c40f83fb
commit f3c40f83fb
parent a19bb6f0b2
4 changed files with 6 additions and 4 deletions
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@ -50,7 +50,7 @@ int quic_tls_encrypt(unsigned char *buf, size_t len,
                     const unsigned char *key, const unsigned char *iv);

 int quic_tls_decrypt2(unsigned char *out,
-                      const unsigned char *in, size_t ilen,
+                      unsigned char *in, size_t ilen,
                      unsigned char *aad, size_t aad_len,
                      EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead,
                      const unsigned char *key, const unsigned char *iv);
@ -60,7 +60,7 @@ int quic_tls_decrypt(unsigned char *buf, size_t len,
                     EVP_CIPHER_CTX *tls_ctx, const EVP_CIPHER *aead,
                     const unsigned char *key, const unsigned char *iv);

-int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, size_t odcid_len,
+int quic_tls_generate_retry_integrity_tag(unsigned char *odcid, unsigned char odcid_len,
                                          unsigned char *buf, size_t len,
                                          const struct quic_version *qv);

--- a/include/haproxy/xprt_quic-t.h
+++ b/include/haproxy/xprt_quic-t.h
@ -403,7 +403,7 @@ struct quic_rx_packet {
 	/* Packet number length */
 	uint32_t pnl;
 	uint64_t token_len;
-	const unsigned char *token;
+	unsigned char *token;
 	/* Packet length */
 	uint64_t len;
 	/* Packet length before decryption */
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@ -1,3 +1,5 @@
+#include <haproxy/quic_tls.h>
+
 #include <string.h>

 #include <openssl/ssl.h>
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@ -5433,7 +5433,7 @@ static int quic_generate_retry_token(unsigned char *buf, size_t len,
 * of client source connection ID.
 * Return 1 if succeeded, 0 if not.
 */
-static int quic_retry_token_check(const unsigned char *token, size_t tokenlen,
+static int quic_retry_token_check(unsigned char *token, size_t tokenlen,
                                  const struct quic_version *qv,
                                  struct quic_cid *odcid,
                                  const struct quic_cid *dcid,