From 58830990d028bdccf22f0e34142cc90bb7a9c153 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 3 Mar 2026 09:02:44 +0100
Subject: [PATCH] MINOR: quic: use signed char type for ALPN manipulation

In most of haproxy code, ALPN is used as a signed char pointer. In QUIC
code instead, it is manipulated as unsigned.

Unifies this by using signed type in QUIC code. This allows to remove a
bunch of unnecessary casts.
---
 include/haproxy/quic_conn.h |  4 ++--
 src/quic_conn.c             |  6 +++---
 src/quic_ssl.c              | 10 +++++-----
 src/ssl_sock.c              |  2 +-
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/include/haproxy/quic_conn.h b/include/haproxy/quic_conn.h
index 92e6c1c74..c34681e7d 100644
--- a/include/haproxy/quic_conn.h
+++ b/include/haproxy/quic_conn.h
@@ -84,7 +84,7 @@ void qc_check_close_on_released_mux(struct quic_conn *qc);
 int quic_stateless_reset_token_cpy(unsigned char *pos, size_t len,
                                    const unsigned char *salt, size_t saltlen);
 int quic_reuse_srv_params(struct quic_conn *qc,
-                          const unsigned char *alpn,
+                          const char *alpn,
                           const struct quic_early_transport_params *etps);
 
 /* Returns true if <qc> is used on the backed side (as a client). */
@@ -204,7 +204,7 @@ static inline void *qc_counters(enum obj_type *o, const struct stats_module *m)
 void chunk_frm_appendf(struct buffer *buf, const struct quic_frame *frm);
 void quic_set_connection_close(struct quic_conn *qc, const struct quic_err err);
 void quic_set_tls_alert(struct quic_conn *qc, int alert);
-int quic_set_app_ops(struct quic_conn *qc, const unsigned char *alpn, size_t alpn_len);
+int quic_set_app_ops(struct quic_conn *qc, const char *alpn, int alpn_len);
 int qc_check_dcid(struct quic_conn *qc, unsigned char *dcid, size_t dcid_len);
 
 void qc_notify_err(struct quic_conn *qc);
diff --git a/src/quic_conn.c b/src/quic_conn.c
index ac4cf2a84..61552e905 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -272,7 +272,7 @@ void quic_set_tls_alert(struct quic_conn *qc, int alert)
 /* Set the application for <qc> QUIC connection.
  * Return 1 if succeeded, 0 if not.
  */
-int quic_set_app_ops(struct quic_conn *qc, const unsigned char *alpn, size_t alpn_len)
+int quic_set_app_ops(struct quic_conn *qc, const char *alpn, int alpn_len)
 {
 	if (alpn_len >= 2 && memcmp(alpn, "h3", 2) == 0)
 		qc->app_ops = &h3_ops;
@@ -290,14 +290,14 @@ int quic_set_app_ops(struct quic_conn *qc, const unsigned char *alpn, size_t alp
  * Return 1 if succeeded, 0 if not.
  */
 int quic_reuse_srv_params(struct quic_conn *qc,
-                          const unsigned char *alpn,
+                          const char *alpn,
                           const struct quic_early_transport_params *etps)
 {
 	int ret = 0;
 
 	TRACE_ENTER(QUIC_EV_CONN_NEW, qc);
 
-	if (!alpn || !quic_set_app_ops(qc, alpn, strlen((char *)alpn)))
+	if (!alpn || !quic_set_app_ops(qc, alpn, strlen(alpn)))
 		goto err;
 
 	qc_early_transport_params_reuse(qc, &qc->tx.params, etps);
diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index ad3c3c509..88f3268d0 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1011,11 +1011,11 @@ int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx)
 			}
 		}
 		else if (qc->conn) {
-			const unsigned char *alpn;
-			size_t alpn_len;
+			const char *alpn;
+			int alpn_len;
 
 			qc->conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
-			if (!ssl_sock_get_alpn(qc->conn, ctx, (const char **)&alpn, (int *)&alpn_len) ||
+			if (!ssl_sock_get_alpn(qc->conn, ctx, &alpn, &alpn_len) ||
 			    !quic_set_app_ops(qc, alpn, alpn_len)) {
 				TRACE_ERROR("No negotiated ALPN", QUIC_EV_CONN_IO_CB, qc, &state);
 				quic_set_tls_alert(qc, SSL_AD_NO_APPLICATION_PROTOCOL);
@@ -1358,7 +1358,7 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target)
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
 		if ((srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA)) {
 			int ret;
-			unsigned char *alpn;
+			char *alpn;
 			struct quic_early_transport_params *etps;
 			/* This code is called by connect_server() by way of
 			 * conn_prepare().
@@ -1374,7 +1374,7 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target)
 			 * able to send data at early-data level.
 			 */
 			HA_RWLOCK_RDLOCK(SERVER_LOCK, &srv->path_params.param_lock);
-			alpn = (unsigned char *)srv->path_params.nego_alpn;
+			alpn = srv->path_params.nego_alpn;
 			etps = &srv->path_params.tps;
 			ret = quic_reuse_srv_params(qc, alpn, etps);
 			HA_RWLOCK_RDUNLOCK(SERVER_LOCK, &srv->path_params.param_lock);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 483532bf3..ff266f0ea 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2242,7 +2242,7 @@ static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out,
 	}
 
 #ifdef USE_QUIC
-	if (qc && !quic_set_app_ops(qc, *out, *outlen)) {
+	if (qc && !quic_set_app_ops(qc, (const char *)*out, *outlen)) {
 		quic_set_tls_alert(qc, SSL_AD_NO_APPLICATION_PROTOCOL);
 		return SSL_TLSEXT_ERR_NOACK;
 	}