From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Tue, 2 May 2023 18:03:19 +0000 (+0200)
Subject: BUG/MINOR: quic: Wrong key update cipher context initialization for encryption
X-Git-Tag: v2.8-dev11~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a01ff7921cd72f41ebfd8268b6874ae6c7c139d;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Wrong key update cipher context initialization for encryption

As noticed by Miroslav, there was a typo in quic_tls_key_update() which lead
a cipher context for decryption to be initialized and used in place of a cipher
context for encryption. Surprisingly, this did not prevent the key update
from working. Perhaps this is due to the fact that the underlying cryptographic
algorithms used by QUIC are all symetric algorithms.

Also modify incorrect traces.

Must be backported in 2.6 and 2.7.
---

diff --git a/src/quic_conn.c b/src/quic_conn.c
index 096f5e3887..069609ab68 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -948,7 +948,7 @@ static int quic_tls_key_update(struct quic_conn *qc)
 	}
 
 	if (!quic_tls_rx_ctx_init(&nxt_rx->ctx, tls_ctx->rx.aead, nxt_rx->key)) {
-		TRACE_ERROR("could not initial RX TLS cipher context", QUIC_EV_CONN_KP, qc);
+		TRACE_ERROR("could not initialize RX TLS cipher context", QUIC_EV_CONN_KP, qc);
 		goto leave;
 	}
 
@@ -957,8 +957,8 @@ static int quic_tls_key_update(struct quic_conn *qc)
 		nxt_tx->ctx = NULL;
 	}
 
-	if (!quic_tls_rx_ctx_init(&nxt_tx->ctx, tls_ctx->tx.aead, nxt_tx->key)) {
-		TRACE_ERROR("could not initial RX TLS cipher context", QUIC_EV_CONN_KP, qc);
+	if (!quic_tls_tx_ctx_init(&nxt_tx->ctx, tls_ctx->tx.aead, nxt_tx->key)) {
+		TRACE_ERROR("could not initialize TX TLS cipher context", QUIC_EV_CONN_KP, qc);
 		goto leave;
 	}