MINOR: quic: Derive the initial secrets asap

Make depends qc_new_isecs() only on quic_conn struct initialization only (no more dependency on connection struct initialization) to be able to run it as soon as the quic_conn struct is initialized (from the I/O handler) before running ->accept() quic proto callback.
2025-09-22 22:31:28 +02:00 · 2021-05-31 15:16:13 +02:00 · 2021-05-31 15:16:13 +02:00 · 497fa78ad8
commit 497fa78ad8
parent d24c2ecb16
2 changed files with 14 additions and 16 deletions
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@ -384,7 +384,7 @@ static inline void quic_tls_discard_keys(struct quic_enc_level *qel)
 * depending on <server> boolean value.
 * Return 1 if succeeded or 0 if not.
 */
-static inline int qc_new_isecs(struct connection *conn,
+static inline int qc_new_isecs(struct quic_conn *qc,
                               const unsigned char *cid, size_t cidlen, int server)
 {
 	unsigned char initial_secret[32];
@ -395,8 +395,8 @@ static inline int qc_new_isecs(struct connection *conn,
 	struct quic_tls_secrets *rx_ctx, *tx_ctx;
 	struct quic_tls_ctx *ctx;

-	TRACE_ENTER(QUIC_EV_CONN_ISEC, conn);
-	ctx = &conn->qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
+	TRACE_ENTER(QUIC_EV_CONN_ISEC);
+	ctx = &qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;
 	quic_initial_tls_ctx_init(ctx);
 	if (!quic_derive_initial_secret(ctx->rx.md,
 	                                initial_secret, sizeof initial_secret,
@ -427,12 +427,12 @@ static inline int qc_new_isecs(struct connection *conn,
 		goto err;

 	tx_ctx->flags |= QUIC_FL_TLS_SECRETS_SET;
-	TRACE_LEAVE(QUIC_EV_CONN_ISEC, conn, rx_init_sec, tx_init_sec);
+	TRACE_LEAVE(QUIC_EV_CONN_ISEC, NULL, rx_init_sec, tx_init_sec);

 	return 1;

 err:
-	TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC, conn);
+	TRACE_DEVEL("leaving in error", QUIC_EV_CONN_ISEC);
 	return 0;
 }

--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@ -3291,6 +3291,14 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
 			if (!qc->enc_params_len)
 				goto err;

+			/* NOTE: the socket address has been concatenated to the destination ID
+			 * chosen by the client for Initial packets.
+			 */
+			if (!qc_new_isecs(qc, pkt->dcid.data, pkt->odcid_len, 1)) {
+				TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn);
+				goto err;
+			}
+
 			pkt->qc = qc;
 			/* This is the DCID node sent in this packet by the client. */
 			node = &qc->odcid_node;
@ -3306,8 +3314,6 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,

 		if (pkt->type == QUIC_PACKET_TYPE_INITIAL) {
 			uint64_t token_len;
-			struct quic_tls_ctx *ctx =
-				&qc->els[QUIC_TLS_ENC_LEVEL_INITIAL].tls_ctx;

 			if (!quic_dec_int(&token_len, (const unsigned char **)buf, end) ||
 			    end - *buf < token_len) {
@ -3323,14 +3329,6 @@ static ssize_t qc_lstnr_pkt_rcv(unsigned char **buf, const unsigned char *end,
 			 * The token must be provided in a Retry packet or NEW_TOKEN frame.
 			 */
 			pkt->token_len = token_len;
-			/* NOTE: the socket address has been concatenated to the destination ID
-			 * chosen by the client for Initial packets.
-			 */
-			if (conn_ctx && !ctx->rx.hp &&
-			    !qc_new_isecs(qc->conn, pkt->dcid.data, pkt->odcid_len, 1)) {
-				TRACE_PROTO("Packet dropped", QUIC_EV_CONN_LPKT, qc->conn);
-				goto err;
-			}
 		}
 	}
 	else {
@ -4372,7 +4370,7 @@ static int qc_conn_init(struct connection *conn, void **xprt_ctx)
 		                      dcid, sizeof dcid, NULL, 0, 0))
 			goto err;

-		if (!qc_new_isecs(conn, dcid, sizeof dcid, 0))
+		if (!qc_new_isecs(quic_conn, dcid, sizeof dcid, 0))
 			goto err;

 		ctx->state = QUIC_HS_ST_CLIENT_INITIAL;