From 6aec1f380e095cc36b279c4c9e1a955d01d41f6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Tue, 6 Sep 2022 17:04:55 +0200
Subject: [PATCH] BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on
 QUIC bind lines

ssl_tlsext_ticket_key_cb() is called when "tls-ticket-keys" option is used on a
"bind" line. It needs to have an access to the TLS ticket keys which have been
stored into the listener bind_conf struct. The fix consists in nitializing the
<ref> variable (references to TLS secret keys) the correct way when this callback
is called for a QUIC connection. The bind_conf struct is store into the quic_conn
object (QUIC connection).

This issue may be in relation with GH #1851. Thank you for @tasavis for the report.

Must be backported to 2.6.
---
 src/ssl_sock.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 02b369a79..0edad3b08 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1154,15 +1154,28 @@ static int ssl_hmac_init(MAC_CTX *hctx, unsigned char *key, int key_len, const E
 
 static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, MAC_CTX *hctx, int enc)
 {
-	struct tls_keys_ref *ref;
+	struct tls_keys_ref *ref = NULL;
 	union tls_sess_key *keys;
-	struct connection *conn;
 	int head;
 	int i;
 	int ret = -1; /* error by default */
+	struct connection *conn = SSL_get_ex_data(s, ssl_app_data_index);
+#ifdef USE_QUIC
+	struct quic_conn *qc = SSL_get_ex_data(s, ssl_qc_app_data_index);
+#endif
+
+	if (conn)
+		ref  = __objt_listener(conn->target)->bind_conf->keys_ref;
+#ifdef USE_QUIC
+	else if (qc)
+		ref =  qc->li->bind_conf->keys_ref;
+#endif
+
+	if (!ref) {
+		/* must never happen */
+		ABORT_NOW();
+	}
 
-	conn = SSL_get_ex_data(s, ssl_app_data_index);
-	ref  = __objt_listener(conn->target)->bind_conf->keys_ref;
 	HA_RWLOCK_RDLOCK(TLSKEYS_REF_LOCK, &ref->lock);
 
 	keys = ref->tlskeys;