mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 15:17:01 +02:00
dc6a3c329a
This patch allows the use of the new OpenSSL 3.5.0 QUIC TLS API when it is available and detected at compilation time. The detection relies on the presence of the OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND macro from openssl-compat.h. Indeed this macro is defined by OpenSSL since 3.5.0 version. It is not defined by quictls. This helps in distinguishing these two TLS stacks. When the detection succeeds, HAVE_OPENSSL_QUIC is also defined by openssl-compat.h. Then, this is this new macro which is used to detect the availability of the new OpenSSL 3.5.0 QUIC TLS API. Note that this detection is done only if USE_QUIC_OPENSSL_COMPAT is not asked. So, USE_QUIC_OPENSSL_COMPAT and HAVE_OPENSSL_QUIC are exclusive. At the same location, from openssl-compat.h, ssl_encryption_level_t enum is defined. This enum was defined by quictls and expansively used by the haproxy QUIC implementation. SSL_set_quic_transport_params() is replaced by SSL_set_quic_tls_transport_params. SSL_set_quic_early_data_enabled() (quictls) is also replaced by SSL_set_quic_tls_early_data_enabled() (OpenSSL). SSL_quic_read_level() (quictls) is not defined by OpenSSL. It is only used by the traces to log the current TLS stack decryption level (read). A macro makes it return -1 which is an usused values. The most of the differences between quictls and OpenSSL QUI APIs are in quic_ssl.c where some callbacks must be defined for these two APIs. This is why this patch modifies quic_ssl.c to define an array of OSSL_DISPATCH structs: <ha_quic_dispatch>. Each element of this arry defines a callback. So, this patch implements these six callabcks: - ha_quic_ossl_crypto_send() - ha_quic_ossl_crypto_recv_rcd() - ha_quic_ossl_crypto_release_rcd() - ha_quic_ossl_yield_secret() - ha_quic_ossl_got_transport_params() and - ha_quic_ossl_alert(). But at this time, these implementations which must return an int return 0 interpreted as a failure by the OpenSSL QUIC API, except for ha_quic_ossl_alert() which is implemented the same was as for quictls. The five remaining functions above will be implemented by the next patches to come. ha_quic_set_encryption_secrets() and ha_quic_add_handshake_data() have been moved to be defined for both quictls and OpenSSL QUIC API. These callbacks are attached to the SSL objects (sessions) calling qc_ssl_set_cbs() new function. This latter callback the correct function to attached the correct callbacks to the SSL objects (defined by <ha_quic_method> for quictls, and <ha_quic_dispatch> for OpenSSL). The calls to SSL_provide_quic_data() and SSL_process_quic_post_handshake() have been also disabled. These functions are not defined by OpenSSL QUIC API. At this time, the functions which call them are still defined when HAVE_OPENSSL_QUIC is defined.
92 lines
2.4 KiB
C
92 lines
2.4 KiB
C
/*
|
|
* include/haproxy/quic_ssl.h
|
|
* This file contains QUIC over TLS/SSL api definitions.
|
|
*
|
|
* Copyright (C) 2023
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation, version 2.1
|
|
* exclusively.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
#ifndef _HAPROXY_QUIC_SSL_H
|
|
#define _HAPROXY_QUIC_SSL_H
|
|
|
|
#ifdef USE_QUIC
|
|
#ifndef USE_OPENSSL
|
|
#error "Must define USE_OPENSSL"
|
|
#endif
|
|
|
|
#include <haproxy/listener-t.h>
|
|
#include <haproxy/ncbuf-t.h>
|
|
#include <haproxy/openssl-compat.h>
|
|
#include <haproxy/pool.h>
|
|
#include <haproxy/quic_ssl-t.h>
|
|
#include <haproxy/ssl_sock-t.h>
|
|
|
|
int ssl_quic_initial_ctx(struct bind_conf *bind_conf);
|
|
int qc_alloc_ssl_sock_ctx(struct quic_conn *qc);
|
|
int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
|
|
int quic_ssl_set_tls_cbs(SSL *ssl);
|
|
|
|
static inline void qc_free_ssl_sock_ctx(struct ssl_sock_ctx **ctx)
|
|
{
|
|
if (!*ctx)
|
|
return;
|
|
|
|
SSL_free((*ctx)->ssl);
|
|
pool_free(pool_head_quic_ssl_sock_ctx, *ctx);
|
|
*ctx = NULL;
|
|
}
|
|
|
|
#if defined(HAVE_SSL_0RTT_QUIC)
|
|
static inline int qc_ssl_eary_data_accepted(const SSL *ssl)
|
|
{
|
|
#if defined(OPENSSL_IS_AWSLC)
|
|
return SSL_early_data_accepted(ssl);
|
|
#else
|
|
return SSL_get_early_data_status(ssl) == SSL_EARLY_DATA_ACCEPTED;
|
|
#endif
|
|
}
|
|
|
|
static inline const char *quic_ssl_early_data_status_str(const SSL *ssl)
|
|
{
|
|
#if defined(OPENSSL_IS_AWSLC)
|
|
if (SSL_early_data_accepted(ssl))
|
|
return "ACCEPTED";
|
|
else
|
|
return "UNKNOWN";
|
|
#else
|
|
int early_data_status = SSL_get_early_data_status(ssl);
|
|
|
|
switch (early_data_status) {
|
|
case SSL_EARLY_DATA_ACCEPTED:
|
|
return "ACCEPTED";
|
|
case SSL_EARLY_DATA_REJECTED:
|
|
return "REJECTED";
|
|
case SSL_EARLY_DATA_NOT_SENT:
|
|
return "NOT_SENT";
|
|
default:
|
|
return "UNKNOWN";
|
|
}
|
|
#endif
|
|
}
|
|
#else
|
|
static inline const char *quic_ssl_early_data_status_str(const SSL *ssl)
|
|
{
|
|
return "NOT_SUPPORTED";
|
|
}
|
|
#endif
|
|
|
|
#endif /* USE_QUIC */
|
|
#endif /* _HAPROXY_QUIC_SSL_H */
|