MINOR: quic: Derive the initial secrets asap
Make depends qc_new_isecs() only on quic_conn struct initialization only (no more
dependency on connection struct initialization) to be able to run it as soon as
the quic_conn struct is initialized (from the I/O handler) before running ->accept()
quic proto callback.
diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 01821a7..12ce734 100644
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -384,7 +384,7 @@
* depending on <server> boolean value.
* Return 1 if succeeded or 0 if not.
*/
-static inline int qc_new_isecs(struct connection *conn,
+static inline int qc_new_isecs(struct quic_conn *qc,
const unsigned char *cid, size_t cidlen, int server)
{
unsigned char initial_secret[32];
@@ -395,8 +395,8 @@
struct quic_tls_secrets *rx_ctx, *tx_ctx;
struct quic_tls_ctx *ctx;
- TRACE_ENTER(QUIC_EV_CONN_ISEC, conn);
- ctx = &conn->qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
+ TRACE_ENTER(QUIC_EV_CONN_ISEC);
+ ctx = &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
quic_initial_tls_ctx_init(ctx);
if (!quic_derive_initial_secret(ctx->rx.md,
initial_secret, sizeof initial_secret,
@@ -427,12 +427,12 @@
goto err;
tx_ctx->flags |= QUIC_FL_TLS_SECRETS_SET;
- TRACE_LEAVE(QUIC_EV_CONN_ISEC, conn, rx_init_sec, tx_init_sec);
+ TRACE_LEAVE(QUIC_EV_CONN_ISEC, NULL, rx_init_sec, tx_init_sec);
return 1;
err:
- TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC, conn);
+ TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC);
return 0;
}
diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index e42f1c4..ac8b23b 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -3291,6 +3291,14 @@
if (!qc->enc_params_len)
goto err;
+ /* NOTE: the socket address has been concatenated to the destination ID
+ * chosen by the client for Initial packets.
+ */
+ if (!qc_new_isecs(qc, pkt->dcid.data, pkt->odcid_len, 1)) {
+ TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn);
+ goto err;
+ }
+
pkt->qc = qc;
/* This is the DCID node sent in this packet by the client. */
node = &qc->odcid_node;
@@ -3306,8 +3314,6 @@
if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
uint64_t token_len;
- struct quic_tls_ctx *ctx =
- &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
if (!quic_dec_int(&token_len, (const unsigned char **)buf, end) ||
end - *buf < token_len) {
@@ -3323,14 +3329,6 @@
* The token must be provided in a Retry packet or NEW_TOKEN frame.
*/
pkt->token_len = token_len;
- /* NOTE: the socket address has been concatenated to the destination ID
- * chosen by the client for Initial packets.
- */
- if (conn_ctx && !ctx->rx.hp &&
- !qc_new_isecs(qc->conn, pkt->dcid.data, pkt->odcid_len, 1)) {
- TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn);
- goto err;
- }
}
}
else {
@@ -4372,7 +4370,7 @@
dcid, sizeof dcid, NULL, 0, 0))
goto err;
- if (!qc_new_isecs(conn, dcid, sizeof dcid, 0))
+ if (!qc_new_isecs(quic_conn, dcid, sizeof dcid, 0))
goto err;
ctx->state = QUIC_HS_ST_CLIENT_INITIAL;