From: Frédéric Lécaille Date: Mon, 31 May 2021 13:16:13 +0000 (+0200) Subject: MINOR: quic: Derive the initial secrets asap X-Git-Tag: v2.5-dev8~133 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=497fa78ad8ac28536b60039df0eca7905c8f734e;p=thirdparty%2Fhaproxy.git MINOR: quic: Derive the initial secrets asap Make depends qc_new_isecs() only on quic_conn struct initialization only (no more dependency on connection struct initialization) to be able to run it as soon as the quic_conn struct is initialized (from the I/O handler) before running ->accept() quic proto callback. --- diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index 01821a7243..12ce7344c6 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -384,7 +384,7 @@ static inline void quic_tls_discard_keys(struct quic_enc_level *qel) * depending on boolean value. * Return 1 if succeeded or 0 if not. */ -static inline int qc_new_isecs(struct connection *conn, +static inline int qc_new_isecs(struct quic_conn *qc, const unsigned char *cid, size_t cidlen, int server) { unsigned char initial_secret[32]; @@ -395,8 +395,8 @@ static inline int qc_new_isecs(struct connection *conn, struct quic_tls_secrets *rx_ctx, *tx_ctx; struct quic_tls_ctx *ctx; - TRACE_ENTER(QUIC_EV_CONN_ISEC, conn); - ctx = &conn->qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx; + TRACE_ENTER(QUIC_EV_CONN_ISEC); + ctx = &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx; quic_initial_tls_ctx_init(ctx); if (!quic_derive_initial_secret(ctx->rx.md, initial_secret, sizeof initial_secret, @@ -427,12 +427,12 @@ static inline int qc_new_isecs(struct connection *conn, goto err; tx_ctx->flags |= QUIC_FL_TLS_SECRETS_SET; - TRACE_LEAVE(QUIC_EV_CONN_ISEC, conn, rx_init_sec, tx_init_sec); + TRACE_LEAVE(QUIC_EV_CONN_ISEC, NULL, rx_init_sec, tx_init_sec); return 1; err: - TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC, conn); + TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC); return 0; } diff --git a/src/xprt_quic.c b/src/xprt_quic.c index e42f1c4195..ac8b23b35c 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -3291,6 +3291,14 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end, if (!qc->enc_params_len) goto err; + /* NOTE: the socket address has been concatenated to the destination ID + * chosen by the client for Initial packets. + */ + if (!qc_new_isecs(qc, pkt->dcid.data, pkt->odcid_len, 1)) { + TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn); + goto err; + } + pkt->qc = qc; /* This is the DCID node sent in this packet by the client. */ node = &qc->odcid_node; @@ -3306,8 +3314,6 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end, if (pkt->type == QUIC_PACKET_TYPE_INITIAL) { uint64_t token_len; - struct quic_tls_ctx *ctx = - &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx; if (!quic_dec_int(&token_len, (const unsigned char **)buf, end) || end - *buf < token_len) { @@ -3323,14 +3329,6 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end, * The token must be provided in a Retry packet or NEW_TOKEN frame. */ pkt->token_len = token_len; - /* NOTE: the socket address has been concatenated to the destination ID - * chosen by the client for Initial packets. - */ - if (conn_ctx && !ctx->rx.hp && - !qc_new_isecs(qc->conn, pkt->dcid.data, pkt->odcid_len, 1)) { - TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn); - goto err; - } } } else { @@ -4372,7 +4370,7 @@ static int qc_conn_init(struct connection *conn, void **xprt_ctx) dcid, sizeof dcid, NULL, 0, 0)) goto err; - if (!qc_new_isecs(conn, dcid, sizeof dcid, 0)) + if (!qc_new_isecs(quic_conn, dcid, sizeof dcid, 0)) goto err; ctx->state = QUIC_HS_ST_CLIENT_INITIAL;