mirror/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git synced 2026-02-10 13:02:44 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
5d05f343b9cf952844b03d4b8988e558ff1f6fc2
haproxy/include/haproxy/quic_ssl.h
Frederic Lecaille 878a72d001 BUG/MEDIUM: quic: listener connection stuck during handshakes (OpenSSL 3.5) 
This issue was reported in GH #3071 by @famfo where a wireshark capture
reveals that some handshake could not complete after having received
two Initial packets. This could happen when the packets were parsed
in two times, calling qc_ssl_provide_all_quic_data() two times.

This is due to crypto data stream counter which was incremented two times
from qc_ssl_provide_all_quic_data() (see cstream->rx.offset += data
statement around line 1223 in quic_ssl.c). One time by the callback
which "receives" the crypto data, and on time by qc_ssl_provide_all_quic_data().

Then when parsing the second crypto data frame, the parser detected
that the crypto were already provided.

To fix this, one could comment the code which increment the crypto data
stream counter by <data>. That said, when using the OpenSSL 3.5 QUIC API
one should not modified the crypto data stream outside of the OpenSSL 3.5
QUIC API.

So, this patch stop calling qc_ssl_provide_all_quic_data() and
qc_ssl_provide_quic_data() and only calls qc_ssl_do_hanshake() after
having received some crypto data. In addition to this, as these functions
are no more called when building haproxy against OpenSSL 3.5, this patch
disable their compilations (with #ifndef HAVE_OPENSSL_QUIC).

This patch depends on this previous one:

     MINOR: quic: implement qc_ssl_do_hanshake()

Thank you to @famto for this report.

Must be backported to 3.2.
2025-08-14 14:54:47 +02:00

93 lines
2.5 KiB
C
Raw Blame History

/*
* include/haproxy/quic_ssl.h
* This file contains QUIC over TLS/SSL api definitions.
*
* Copyright (C) 2023
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation, version 2.1
* exclusively.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef _HAPROXY_QUIC_SSL_H
#define _HAPROXY_QUIC_SSL_H
#ifdef USE_QUIC
#ifndef USE_OPENSSL
#error "Must define USE_OPENSSL"
#endif
#include <haproxy/listener-t.h>
#include <haproxy/ncbuf-t.h>
#include <haproxy/openssl-compat.h>
#include <haproxy/pool.h>
#include <haproxy/quic_ssl-t.h>
#include <haproxy/ssl_sock-t.h>
int ssl_quic_initial_ctx(struct bind_conf *bind_conf);
SSL_CTX *ssl_quic_srv_new_ssl_ctx(void);
int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn);
int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx);
static inline void qc_free_ssl_sock_ctx(struct ssl_sock_ctx **ctx)
{
if (!*ctx)
return;
SSL_free((*ctx)->ssl);
pool_free(pool_head_quic_ssl_sock_ctx, *ctx);
*ctx = NULL;
}
#if defined(HAVE_SSL_0RTT_QUIC)
static inline int qc_ssl_eary_data_accepted(const SSL *ssl)
{
#if defined(OPENSSL_IS_AWSLC)
return SSL_early_data_accepted(ssl);
#else
return SSL_get_early_data_status(ssl) == SSL_EARLY_DATA_ACCEPTED;
#endif
}
static inline const char *quic_ssl_early_data_status_str(const SSL *ssl)
{
#if defined(OPENSSL_IS_AWSLC)
if (SSL_early_data_accepted(ssl))
return "ACCEPTED";
else
return "UNKNOWN";
#else
int early_data_status = SSL_get_early_data_status(ssl);
switch (early_data_status) {
case SSL_EARLY_DATA_ACCEPTED:
return "ACCEPTED";
case SSL_EARLY_DATA_REJECTED:
return "REJECTED";
case SSL_EARLY_DATA_NOT_SENT:
return "NOT_SENT";
default:
return "UNKNOWN";
}
#endif
}
#else
static inline const char *quic_ssl_early_data_status_str(const SSL *ssl)
{
return "NOT_SUPPORTED";
}
#endif
#endif /* USE_QUIC */
#endif /* _HAPROXY_QUIC_SSL_H */
Reference in New Issue View Git Blame Copy Permalink