mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 06:41:32 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic: No TX secret at EARLY_DATA encryption level

Browse Source 
The TLS does not provide us with TX secrets after we have provided it
with 0-RTT data. This is logic: the server does not need to send 0-RTT
data. We must skip the section where such secrets are derived if we do not
want to close the connection with a TLS alert.
This commit is contained in:
Frédéric Lécaille 2021-12-14 19:29:34 +01:00 committed by Amaury Denoyelle
parent ad3c07ae81
commit 4015cbb723
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/xprt_quic.c
View File

@ -812,6 +812,10 @@ int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t level,
} }
rx->flags |= QUIC_FL_TLS_SECRETS_SET; rx->flags |= QUIC_FL_TLS_SECRETS_SET;
if (!write_secret)
goto tp;
if (!quic_tls_derive_keys(tx->aead, tx->hp, tx->md, tx->key, tx->keylen, if (!quic_tls_derive_keys(tx->aead, tx->hp, tx->md, tx->key, tx->keylen,
tx->iv, tx->ivlen, tx->hp_key, sizeof tx->hp_key, tx->iv, tx->ivlen, tx->hp_key, sizeof tx->hp_key,
write_secret, secret_len)) { write_secret, secret_len)) {
@ -820,6 +824,7 @@ int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t level,
} }
tx->flags |= QUIC_FL_TLS_SECRETS_SET; tx->flags |= QUIC_FL_TLS_SECRETS_SET;
tp:
if (objt_server(conn->target) && level == ssl_encryption_application) { if (objt_server(conn->target) && level == ssl_encryption_application) {
const unsigned char *buf; const unsigned char *buf;
size_t buflen; size_t buflen;