MINOR: quic: Do not drop secret key but drop the CRYPTO data

author Frédéric Lécaille <flecaille@haproxy.com>

Mon, 3 Jan 2022 16:00:35 +0000 (17:00 +0100)

committer Frédéric Lécaille <flecaille@haproxy.com>

Tue, 4 Jan 2022 16:30:00 +0000 (17:30 +0100)
author Frédéric Lécaille <flecaille@haproxy.com>
Mon, 3 Jan 2022 16:00:35 +0000 (17:00 +0100)
committer Frédéric Lécaille <flecaille@haproxy.com>
Tue, 4 Jan 2022 16:30:00 +0000 (17:30 +0100)
diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h

index 303ba37e3568b481ab532d18f69d923d21921dab..2c3528d83767b01d4f98e03a98cd34bbb8727400 100644 (file)
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -459,7 +459,6 @@ static inline void quic_tls_discard_keys(struct quic_enc_level *qel)
  {
         qel->tls_ctx.rx.flags |= QUIC_FL_TLS_SECRETS_DCD;
         qel->tls_ctx.tx.flags |= QUIC_FL_TLS_SECRETS_DCD;
-       quic_tls_ctx_secs_free(&qel->tls_ctx);
  }
  
  /* Derive the initial secrets with <ctx> as QUIC TLS context which is the
diff --git a/src/xprt_quic.c b/src/xprt_quic.c

index 98718ce1dd41b9729473d02290d204d754ee0f61..6e6be1140e1df3b38428f97dfd2a6b5bc0e49103 100644 (file)
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -2250,6 +2250,17 @@ static int qc_parse_pkt_frms(struct quic_rx_packet *pkt, struct ssl_sock_ctx *ct
                 {
                         struct quic_rx_crypto_frm *cf;
  
+                       if (unlikely(qel->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_DCD)) {
+                               /* XXX TO DO: <cfdebug> is used only for the traces. */
+                               struct quic_rx_crypto_frm cfdebug = { };
+
+                               cfdebug.offset_node.key = frm.crypto.offset;
+                               cfdebug.len = frm.crypto.len;
+                               TRACE_PROTO("CRYPTO data discarded",
+                                           QUIC_EV_CONN_ELRXPKTS, qc, pkt, &cfdebug);
+                               break;
+                       }
+
                         if (unlikely(frm.crypto.offset < qel->rx.crypto.offset)) {
                                 if (frm.crypto.offset + frm.crypto.len <= qel->rx.crypto.offset) {
                                         /* XXX TO DO: <cfdebug> is used only for the traces. */
@@ -3091,7 +3102,14 @@ struct task *quic_conn_io_cb(struct task *t, void *context, unsigned int state)
                 (!MT_LIST_ISEMPTY(&qc->els[QUIC_TLS_ENC_LEVEL_EARLY_DATA].rx.pqpkts) ||
                 qc_el_rx_pkts(&qc->els[QUIC_TLS_ENC_LEVEL_EARLY_DATA]));
   start:
-       if (!quic_get_tls_enc_levels(&tel, &next_tel, st, zero_rtt))
+       if (st >= QUIC_HS_ST_COMPLETE &&
+           qc_el_rx_pkts(&qc->els[QUIC_TLS_ENC_LEVEL_HANDSHAKE])) {
+               TRACE_PROTO("remaining Handshake packets", QUIC_EV_CONN_PHPKTS, qc);
+               /* There may be remaining Handshake packets to treat and acknowledge. */
+               tel = QUIC_TLS_ENC_LEVEL_HANDSHAKE;
+               next_tel = QUIC_TLS_ENC_LEVEL_APP;
+       }
+       else if (!quic_get_tls_enc_levels(&tel, &next_tel, st, zero_rtt))
                 goto err;
  
         qel = &qc->els[tel];
@@ -3563,10 +3581,8 @@ static int qc_pkt_may_rm_hp(struct quic_conn *qc, struct quic_rx_packet *pkt,
         }
  
         *qel = &qc->els[tel];
-       if ((*qel)->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_DCD) {
+       if ((*qel)->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_DCD)
                 TRACE_DEVEL("Discarded keys", QUIC_EV_CONN_TRMHP, qc);
-               return 0;
-       }
  
         if (((*qel)->tls_ctx.rx.flags & QUIC_FL_TLS_SECRETS_SET) &&
             (tel != QUIC_TLS_ENC_LEVEL_APP ||
author	Frédéric Lécaille <flecaille@haproxy.com>
	Mon, 3 Jan 2022 16:00:35 +0000 (17:00 +0100)
committer	Frédéric Lécaille <flecaille@haproxy.com>
	Tue, 4 Jan 2022 16:30:00 +0000 (17:30 +0100)
include/haproxy/quic_tls.h		patch \| blob \| blame \| history
src/xprt_quic.c		patch \| blob \| blame \| history