MINOR: quic: Derive the initial secrets asap

Make depends qc_new_isecs() only on quic_conn struct initialization only (no more
dependency on connection struct initialization) to be able to run it as soon as
the quic_conn struct is initialized (from the I/O handler) before running ->accept()
quic proto callback.

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 01821a7243d31be1db2ca1d7ce8500340baf0058..12ce7344c62e3ca3e6dadc93804ad06f202626b6 100644 (file)
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -384,7 +384,7 @@ static inline void quic_tls_discard_keys(struct quic_enc_level *qel)
  * depending on <server> boolean value.
  * Return 1 if succeeded or 0 if not.
  */
-static inline int qc_new_isecs(struct connection *conn,
+static inline int qc_new_isecs(struct quic_conn *qc,
                                const unsigned char *cid, size_t cidlen, int server)
 {
        unsigned char initial_secret[32];
@@ -395,8 +395,8 @@ static inline int qc_new_isecs(struct connection *conn,
        struct quic_tls_secrets *rx_ctx, *tx_ctx;
        struct quic_tls_ctx *ctx;
 
-       TRACE_ENTER(QUIC_EV_CONN_ISEC, conn);
-       ctx = &conn->qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
+       TRACE_ENTER(QUIC_EV_CONN_ISEC);
+       ctx = &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
        quic_initial_tls_ctx_init(ctx);
        if (!quic_derive_initial_secret(ctx->rx.md,
                                        initial_secret, sizeof initial_secret,
@@ -427,12 +427,12 @@ static inline int qc_new_isecs(struct connection *conn,
                goto err;
 
        tx_ctx->flags |= QUIC_FL_TLS_SECRETS_SET;
-       TRACE_LEAVE(QUIC_EV_CONN_ISEC, conn, rx_init_sec, tx_init_sec);
+       TRACE_LEAVE(QUIC_EV_CONN_ISEC, NULL, rx_init_sec, tx_init_sec);
 
        return 1;
 
  err:
-       TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC, conn);
+       TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC);
        return 0;
 }
 

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index e42f1c4195f7d2305eb971b747f847418ca5c5d5..ac8b23b35cffe5c7a77413b178e54e9824bb39e9 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -3291,6 +3291,14 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
                        if (!qc->enc_params_len)
                                goto err;
 
+                       /* NOTE: the socket address has been concatenated to the destination ID
+                        * chosen by the client for Initial packets.
+                        */
+                       if (!qc_new_isecs(qc, pkt->dcid.data, pkt->odcid_len, 1)) {
+                               TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn);
+                               goto err;
+                       }
+
                        pkt->qc = qc;
                        /* This is the DCID node sent in this packet by the client. */
                        node = &qc->odcid_node;
@@ -3306,8 +3314,6 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
 
                if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
                        uint64_t token_len;
-                       struct quic_tls_ctx *ctx =
-                               &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
 
                        if (!quic_dec_int(&token_len, (const unsigned char **)buf, end) ||
                            end - *buf < token_len) {
@@ -3323,14 +3329,6 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
                         * The token must be provided in a Retry packet or NEW_TOKEN frame.
                         */
                        pkt->token_len = token_len;
-                       /* NOTE: the socket address has been concatenated to the destination ID
-                        * chosen by the client for Initial packets.
-                        */
-                       if (conn_ctx && !ctx->rx.hp &&
-                           !qc_new_isecs(qc->conn, pkt->dcid.data, pkt->odcid_len, 1)) {
-                               TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn);
-                               goto err;
-                       }
                }
        }
        else {
@@ -4372,7 +4370,7 @@ static int qc_conn_init(struct connection *conn, void **xprt_ctx)
                                      dcid, sizeof dcid, NULL, 0, 0))
                        goto err;
 
-               if (!qc_new_isecs(conn, dcid, sizeof dcid, 0))
+               if (!qc_new_isecs(quic_conn, dcid, sizeof dcid, 0))
                        goto err;
 
                ctx->state = QUIC_HS_ST_CLIENT_INITIAL;