From: Frédéric Lécaille Date: Thu, 22 Jun 2023 05:35:10 +0000 (+0200) Subject: MINOR: quic: Move QUIC TLS encryption level related code (quic_conn_enc_level_init()) X-Git-Tag: v2.9-dev1~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6593ec6f5eb8748a7dadd6979010e9c2f1fd2b55;p=thirdparty%2Fhaproxy.git MINOR: quic: Move QUIC TLS encryption level related code (quic_conn_enc_level_init()) quic_conn_enc_level_init() location is definitively in QUIC TLS API source file: src/quic_tls.c. --- diff --git a/include/haproxy/quic_conn-t.h b/include/haproxy/quic_conn-t.h index b7931cd290..b3b5607450 100644 --- a/include/haproxy/quic_conn-t.h +++ b/include/haproxy/quic_conn-t.h @@ -255,6 +255,7 @@ extern struct trace_source trace_quic; extern struct pool_head *pool_head_quic_tx_ring; extern struct pool_head *pool_head_quic_rx_packet; extern struct pool_head *pool_head_quic_tx_packet; +extern struct pool_head *pool_head_quic_crypto_buf; extern struct pool_head *pool_head_quic_frame; extern struct pool_head *pool_head_quic_dgram; diff --git a/include/haproxy/quic_conn.h b/include/haproxy/quic_conn.h index 60deeadf50..9bfdc73468 100644 --- a/include/haproxy/quic_conn.h +++ b/include/haproxy/quic_conn.h @@ -51,6 +51,9 @@ extern struct pool_head *pool_head_quic_connection_id; int ssl_quic_initial_ctx(struct bind_conf *bind_conf); +struct quic_cstream *quic_cstream_new(struct quic_conn *qc); +struct quic_cstream *quic_cstream_new(struct quic_conn *qc); +void quic_cstream_free(struct quic_cstream *cs); /* Return the long packet type matching with version and */ static inline int quic_pkt_type(int type, uint32_t version) diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index 72aeb1ab36..28f59f0bc8 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -34,6 +34,9 @@ void quic_tls_keys_hexdump(struct buffer *buf, void quic_tls_kp_keys_hexdump(struct buffer *buf, const struct quic_tls_kp *kp); +int quic_conn_enc_level_init(struct quic_conn *qc, + enum quic_tls_enc_level level); +void quic_conn_enc_level_uninit(struct quic_conn *qc, struct quic_enc_level *qel); void quic_tls_secret_hexdump(struct buffer *buf, const unsigned char *secret, size_t secret_len); diff --git a/src/quic_conn.c b/src/quic_conn.c index 074ac8cc32..fa68ef5f3c 100644 --- a/src/quic_conn.c +++ b/src/quic_conn.c @@ -222,7 +222,7 @@ DECLARE_POOL(pool_head_quic_dgram, "quic_dgram", sizeof(struct quic_dgram)); DECLARE_POOL(pool_head_quic_rx_packet, "quic_rx_packet", sizeof(struct quic_rx_packet)); DECLARE_POOL(pool_head_quic_tx_packet, "quic_tx_packet", sizeof(struct quic_tx_packet)); DECLARE_STATIC_POOL(pool_head_quic_rx_crypto_frm, "quic_rx_crypto_frm", sizeof(struct quic_rx_crypto_frm)); -DECLARE_STATIC_POOL(pool_head_quic_crypto_buf, "quic_crypto_buf", sizeof(struct quic_crypto_buf)); +DECLARE_POOL(pool_head_quic_crypto_buf, "quic_crypto_buf", sizeof(struct quic_crypto_buf)); DECLARE_STATIC_POOL(pool_head_quic_cstream, "quic_cstream", sizeof(struct quic_cstream)); DECLARE_POOL(pool_head_quic_frame, "quic_frame", sizeof(struct quic_frame)); DECLARE_STATIC_POOL(pool_head_quic_arng, "quic_arng", sizeof(struct quic_arng_node)); @@ -5280,79 +5280,6 @@ struct quic_cstream *quic_cstream_new(struct quic_conn *qc) goto leave; } -/* Uninitialize QUIC encryption level. Never fails. */ -static void quic_conn_enc_level_uninit(struct quic_conn *qc, struct quic_enc_level *qel) -{ - int i; - - TRACE_ENTER(QUIC_EV_CONN_CLOSE, qc); - - for (i = 0; i < qel->tx.crypto.nb_buf; i++) { - if (qel->tx.crypto.bufs[i]) { - pool_free(pool_head_quic_crypto_buf, qel->tx.crypto.bufs[i]); - qel->tx.crypto.bufs[i] = NULL; - } - } - ha_free(&qel->tx.crypto.bufs); - quic_cstream_free(qel->cstream); - - TRACE_LEAVE(QUIC_EV_CONN_CLOSE, qc); -} - -/* Initialize QUIC TLS encryption level with as level for QUIC - * connection allocating everything needed. - * - * Returns 1 if succeeded, 0 if not. On error the caller is responsible to use - * quic_conn_enc_level_uninit() to cleanup partially allocated content. - */ -static int quic_conn_enc_level_init(struct quic_conn *qc, - enum quic_tls_enc_level level) -{ - int ret = 0; - struct quic_enc_level *qel; - - TRACE_ENTER(QUIC_EV_CONN_CLOSE, qc); - - qel = &qc->els[level]; - qel->level = quic_to_ssl_enc_level(level); - qel->tls_ctx.rx.aead = qel->tls_ctx.tx.aead = NULL; - qel->tls_ctx.rx.md = qel->tls_ctx.tx.md = NULL; - qel->tls_ctx.rx.hp = qel->tls_ctx.tx.hp = NULL; - qel->tls_ctx.flags = 0; - - qel->rx.pkts = EB_ROOT; - LIST_INIT(&qel->rx.pqpkts); - - /* Allocate only one buffer. */ - /* TODO: use a pool */ - qel->tx.crypto.bufs = malloc(sizeof *qel->tx.crypto.bufs); - if (!qel->tx.crypto.bufs) - goto leave; - - qel->tx.crypto.bufs[0] = pool_alloc(pool_head_quic_crypto_buf); - if (!qel->tx.crypto.bufs[0]) - goto leave; - - qel->tx.crypto.bufs[0]->sz = 0; - qel->tx.crypto.nb_buf = 1; - - qel->tx.crypto.sz = 0; - qel->tx.crypto.offset = 0; - /* No CRYPTO data for early data TLS encryption level */ - if (level == QUIC_TLS_ENC_LEVEL_EARLY_DATA) - qel->cstream = NULL; - else { - qel->cstream = quic_cstream_new(qc); - if (!qel->cstream) - goto leave; - } - - ret = 1; - leave: - TRACE_LEAVE(QUIC_EV_CONN_CLOSE, qc); - return ret; -} - /* Return 1 if connection may probe the Initial packet number space, 0 if not. * This is not the case if the remote peer address is not validated and if * it cannot send at least QUIC_INITIAL_PACKET_MINLEN bytes. diff --git a/src/quic_tls.c b/src/quic_tls.c index 0513ec07ff..e417764787 100644 --- a/src/quic_tls.c +++ b/src/quic_tls.c @@ -9,7 +9,7 @@ #include #include #include -#include +#include DECLARE_POOL(pool_head_quic_tls_secret, "quic_tls_secret", QUIC_TLS_SECRET_LEN); @@ -85,6 +85,79 @@ void quic_tls_secret_hexdump(struct buffer *buf, chunk_appendf(buf, "%02x", secret[i]); } +/* Initialize QUIC TLS encryption level with as level for QUIC + * connection allocating everything needed. + * + * Returns 1 if succeeded, 0 if not. On error the caller is responsible to use + * quic_conn_enc_level_uninit() to cleanup partially allocated content. + */ +int quic_conn_enc_level_init(struct quic_conn *qc, + enum quic_tls_enc_level level) +{ + int ret = 0; + struct quic_enc_level *qel; + + TRACE_ENTER(QUIC_EV_CONN_CLOSE, qc); + + qel = &qc->els[level]; + qel->level = quic_to_ssl_enc_level(level); + qel->tls_ctx.rx.aead = qel->tls_ctx.tx.aead = NULL; + qel->tls_ctx.rx.md = qel->tls_ctx.tx.md = NULL; + qel->tls_ctx.rx.hp = qel->tls_ctx.tx.hp = NULL; + qel->tls_ctx.flags = 0; + + qel->rx.pkts = EB_ROOT; + LIST_INIT(&qel->rx.pqpkts); + + /* Allocate only one buffer. */ + /* TODO: use a pool */ + qel->tx.crypto.bufs = malloc(sizeof *qel->tx.crypto.bufs); + if (!qel->tx.crypto.bufs) + goto leave; + + qel->tx.crypto.bufs[0] = pool_alloc(pool_head_quic_crypto_buf); + if (!qel->tx.crypto.bufs[0]) + goto leave; + + qel->tx.crypto.bufs[0]->sz = 0; + qel->tx.crypto.nb_buf = 1; + + qel->tx.crypto.sz = 0; + qel->tx.crypto.offset = 0; + /* No CRYPTO data for early data TLS encryption level */ + if (level == QUIC_TLS_ENC_LEVEL_EARLY_DATA) + qel->cstream = NULL; + else { + qel->cstream = quic_cstream_new(qc); + if (!qel->cstream) + goto leave; + } + + ret = 1; + leave: + TRACE_LEAVE(QUIC_EV_CONN_CLOSE, qc); + return ret; +} + +/* Uninitialize QUIC encryption level. Never fails. */ +void quic_conn_enc_level_uninit(struct quic_conn *qc, struct quic_enc_level *qel) +{ + int i; + + TRACE_ENTER(QUIC_EV_CONN_CLOSE, qc); + + for (i = 0; i < qel->tx.crypto.nb_buf; i++) { + if (qel->tx.crypto.bufs[i]) { + pool_free(pool_head_quic_crypto_buf, qel->tx.crypto.bufs[i]); + qel->tx.crypto.bufs[i] = NULL; + } + } + ha_free(&qel->tx.crypto.bufs); + quic_cstream_free(qel->cstream); + + TRACE_LEAVE(QUIC_EV_CONN_CLOSE, qc); +} + int quic_hkdf_extract(const EVP_MD *md, unsigned char *buf, size_t buflen, const unsigned char *key, size_t keylen,