BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on QUIC bind lines
ssl_tlsext_ticket_key_cb() is called when "tls-ticket-keys" option is used on a
"bind" line. It needs to have an access to the TLS ticket keys which have been
stored into the listener bind_conf struct. The fix consists in nitializing the
<ref> variable (references to TLS secret keys) the correct way when this callback
is called for a QUIC connection. The bind_conf struct is store into the quic_conn
object (QUIC connection).
This issue may be in relation with GH #1851. Thank you for @tasavis for the report.
Must be backported to 2.6.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 02b369a..0edad3b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1154,15 +1154,28 @@
static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, MAC_CTX *hctx, int enc)
{
- struct tls_keys_ref *ref;
+ struct tls_keys_ref *ref = NULL;
union tls_sess_key *keys;
- struct connection *conn;
int head;
int i;
int ret = -1; /* error by default */
+ struct connection *conn = SSL_get_ex_data(s, ssl_app_data_index);
+#ifdef USE_QUIC
+ struct quic_conn *qc = SSL_get_ex_data(s, ssl_qc_app_data_index);
+#endif
+
+ if (conn)
+ ref = __objt_listener(conn->target)->bind_conf->keys_ref;
+#ifdef USE_QUIC
+ else if (qc)
+ ref = qc->li->bind_conf->keys_ref;
+#endif
+
+ if (!ref) {
+ /* must never happen */
+ ABORT_NOW();
+ }
- conn = SSL_get_ex_data(s, ssl_app_data_index);
- ref = __objt_listener(conn->target)->bind_conf->keys_ref;
HA_RWLOCK_RDLOCK(TLSKEYS_REF_LOCK, &ref->lock);
keys = ref->tlskeys;