Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 0ae0d74d953b8b235fcbb4605c607e8b5b954f36
commit0ae0d74d953b8b235fcbb4605c607e8b5b954f36[log] [tgz]
authorEmeric Brun <ebrun@haproxy.com>Tue Jul 11 14:57:54 2023 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Fri Jul 21 15:35:41 2023 +0200
tree630d58f7c57d6a2afdb2ec7053e1dc9b50b1bc3b
parente397d860b28b8a00b875f8a911beb32c7651ac28 [diff]
BUG/MEDIUM: quic: missing check of dcid for init pkt including a token

RFC 9000, 17.2.5.1:
"The client MUST use the value from the Source Connection ID
field of the Retry packet in the Destination Connection ID
field of subsequent packets that it sends."

There was no control of this and we could accept a different
dcid on init packets containing a valid token.

The randomized value used as new scid on retry packets is now
added in the aad used to encode the token. This way the token
will appear as invalid if the dcid missmatch the scid of
the previous retry packet.

This should be backported until v2.6

(cherry picked from commit 072e77493961a06b89f853f4ab2bbf0e9cf3eff7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
1 file changed
tree: 630d58f7c57d6a2afdb2ec7053e1dc9b50b1bc3b
  1. .github/
  2. addons/
  3. admin/
  4. dev/
  5. doc/
  6. examples/
  7. include/
  8. reg-tests/
  9. scripts/
  10. src/
  11. tests/
  12. .cirrus.yml
  13. .gitattributes
  14. .gitignore
  15. .mailmap
  16. .travis.yml
  17. BRANCHES
  18. BSDmakefile
  19. CHANGELOG
  20. CONTRIBUTING
  21. INSTALL
  22. LICENSE
  23. MAINTAINERS
  24. Makefile
  25. README
  26. SUBVERS
  27. VERDATE
  28. VERSION