RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-03 02:32:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels

Browse Source 
The ->openssl_compat struct member of the QUIC connection object was not fully
initialized. This was done on purpose, believing that ->write_level and
->read_level member was initialized by quic_tls_compat_keylog_callback() (the
keylog callback) before entering quic_tls_compat_msg_callback() which
has to parse the TLS messages. In fact this is not the case at all.
quic_tls_compat_msg_callback() is called before quic_tls_compat_keylog_callback()
when receiving the first TLS ClientHello message.

->write_level and ->read_level was not initialized to <ssl_encryption_initial> (= 0)
as this is implicitely done by the originial ngxinx wrapper which calloc()s the openssl
compatibily structure. This could lead to a crash after ssl_to_qel_addr() returns
NULL when called by ha_quic_add_handshake_data().

This patch explicitely initialializes ->write_level and ->read_level to
<ssl_encryption_initial> (=0).

No need to backport.
This commit is contained in:
Frédéric Lécaille 2023-07-31 15:07:06 +02:00
parent d52da4ef70
commit bdd863477d
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/quic_openssl_compat.c
View File

@ -409,6 +409,8 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
qc->openssl_compat.rbio = rbio; qc->openssl_compat.rbio = rbio;
qc->openssl_compat.wbio = wbio; qc->openssl_compat.wbio = wbio;
qc->openssl_compat.method = quic_method; qc->openssl_compat.method = quic_method;
qc->openssl_compat.read_level = ssl_encryption_initial;
qc->openssl_compat.write_level = ssl_encryption_initial;
ret = 1; ret = 1;
leave: leave: