RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-06 17:22:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: quic: timestamp shared in token was using internal time clock

Browse Source 
The internal tick clock was used to export the timestamp int the token
on retry packets. Doing this in cluster mode the nodes don't
understand the timestamp from tokens generated by others.

This patch re-work this using the the real current date (wall-clock time).

Timestamp are also now considered in secondes instead of milleseconds.

This patch should be backported until v2.6
This commit is contained in:
Emeric Brun 2023-07-11 16:13:19 +02:00 committed by Amaury Denoyelle
parent 072e774939
commit cadb232e93
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/quic_conn-t.h
View File

@ -92,7 +92,7 @@ typedef unsigned long long ull;
/* Salt length used to derive retry token secret */ /* Salt length used to derive retry token secret */
#define QUIC_RETRY_TOKEN_SALTLEN 16 /* bytes */ #define QUIC_RETRY_TOKEN_SALTLEN 16 /* bytes */
/* Retry token duration */ /* Retry token duration */
#define QUIC_RETRY_DURATION_MS 10000 #define QUIC_RETRY_DURATION_SEC 10
/* Default Retry threshold */ /* Default Retry threshold */
#define QUIC_DFLT_RETRY_THRESHOLD 100 /* in connection openings */ #define QUIC_DFLT_RETRY_THRESHOLD 100 /* in connection openings */
/* Default limit of loss detection on a single frame. If exceeded, connection is closed. */ /* Default limit of loss detection on a single frame. If exceeded, connection is closed. */

9
src/quic_conn.c
View File

@ -5389,6 +5389,7 @@ static int parse_retry_token(struct quic_conn *qc,
int ret = 0; int ret = 0;
uint64_t odcid_len; uint64_t odcid_len;
uint32_t timestamp; uint32_t timestamp;
uint32_t now_sec = (uint32_t)date.tv_sec;
TRACE_ENTER(QUIC_EV_CONN_LPKT, qc); TRACE_ENTER(QUIC_EV_CONN_LPKT, qc);
@ -5414,7 +5415,11 @@ static int parse_retry_token(struct quic_conn *qc,
} }
timestamp = ntohl(read_u32(token + odcid_len)); timestamp = ntohl(read_u32(token + odcid_len));
if (tick_is_expired(tick_add(timestamp, MS_TO_TICKS(QUIC_RETRY_DURATION_MS)), now_ms)) { /* check if elapsed time is +/- QUIC_RETRY_DURATION_SEC
* to tolerate token generator is not perfectly time synced
*/
if ((uint32_t)(now_sec - timestamp) > QUIC_RETRY_DURATION_SEC &&
(uint32_t)(timestamp - now_sec) > QUIC_RETRY_DURATION_SEC) {
TRACE_ERROR("token has expired", QUIC_EV_CONN_LPKT, qc); TRACE_ERROR("token has expired", QUIC_EV_CONN_LPKT, qc);
goto leave; goto leave;
} }
@ -6358,7 +6363,7 @@ static int quic_generate_retry_token(unsigned char *token, size_t len,
size_t seclen = strlen(global.cluster_secret); size_t seclen = strlen(global.cluster_secret);
EVP_CIPHER_CTX *ctx = NULL; EVP_CIPHER_CTX *ctx = NULL;
const EVP_CIPHER *aead = EVP_aes_128_gcm(); const EVP_CIPHER *aead = EVP_aes_128_gcm();
uint32_t timestamp = now_ms; uint32_t timestamp = (uint32_t)date.tv_sec;
TRACE_ENTER(QUIC_EV_CONN_TXPKT); TRACE_ENTER(QUIC_EV_CONN_TXPKT);