From ceb7dbf4201acbb03ab7a22e7a116d4c4e443463 Mon Sep 17 00:00:00 2001
From: Frederic Lecaille <flecaille@haproxy.com>
Date: Fri, 30 Aug 2024 14:47:08 +0200
Subject: [PATCH] MINOR: quic: Modify NEW_TOKEN frame structure (qf_new_token
 struct)

Modify qf_new_token structure to use a static buffer with QUIC_TOKEN_LEN
as size as defined by the token for future connections (quic_token.c).
Modify consequently the NEW_TOKEN frame parser (see quic_parse_new_token_frame()).
Also add comments to denote that the NEW_TOKEN parser function is used only by
clients and that its builder is used only by servers.

(cherry picked from commit e926378375bcf579daadea071c600651eb7dce0d)
[fl: remove useless openssl/chacha.h header inclusion when moving
     openssl-compat.h at the start of the header inclusions as expected by this
     patch]
Signed-off-by: Frederic Lecaille <flecaille@haproxy.com>
---
 include/haproxy/quic_frame-t.h |  3 ++-
 include/haproxy/quic_tls-t.h   |  2 +-
 src/quic_frame.c               | 11 +++++++----
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/include/haproxy/quic_frame-t.h b/include/haproxy/quic_frame-t.h
index 5e91f9320..fe80f2793 100644
--- a/include/haproxy/quic_frame-t.h
+++ b/include/haproxy/quic_frame-t.h
@@ -33,6 +33,7 @@
 #include <haproxy/buf-t.h>
 #include <haproxy/list.h>
 #include <haproxy/quic_stream-t.h>
+#include <haproxy/quic_token.h>
 
 extern struct pool_head *pool_head_quic_frame;
 extern struct pool_head *pool_head_qf_crypto;
@@ -154,7 +155,7 @@ struct qf_crypto {
 
 struct qf_new_token {
 	uint64_t len;
-	const unsigned char *data;
+	unsigned char data[QUIC_TOKEN_LEN];
 };
 
 struct qf_stream {
diff --git a/include/haproxy/quic_tls-t.h b/include/haproxy/quic_tls-t.h
index b6e3286c8..c1b093a3b 100644
--- a/include/haproxy/quic_tls-t.h
+++ b/include/haproxy/quic_tls-t.h
@@ -17,6 +17,7 @@
 #error "Must define USE_OPENSSL"
 #endif
 
+#include <haproxy/openssl-compat.h>
 #include <openssl/evp.h>
 
 #include <import/ebtree.h>
@@ -24,7 +25,6 @@
 #include <haproxy/buf-t.h>
 #include <haproxy/ncbuf-t.h>
 #include <haproxy/quic_ack-t.h>
-#include <haproxy/openssl-compat.h>
 
 /* Use EVP_CIPHER or EVP_AEAD API depending on the library */
 #if defined(USE_OPENSSL_AWSLC)
diff --git a/src/quic_frame.c b/src/quic_frame.c
index 8d42786e0..6c459353c 100644
--- a/src/quic_frame.c
+++ b/src/quic_frame.c
@@ -473,7 +473,8 @@ static int quic_parse_crypto_frame(struct quic_frame *frm, struct quic_conn *qc,
 	return 1;
 }
 
-/* Encode a NEW_TOKEN frame at <pos> buffer position.
+/* Server only function.
+ * Encode a NEW_TOKEN frame at <pos> buffer position.
  * Returns 1 if succeeded (enough room at <pos> buffer position to encode the frame), 0 if not.
  */
 static int quic_build_new_token_frame(unsigned char **pos, const unsigned char *end,
@@ -490,7 +491,8 @@ static int quic_build_new_token_frame(unsigned char **pos, const unsigned char *
 	return 1;
 }
 
-/* Parse a NEW_TOKEN frame at <pos> buffer position with <end> as end into <frm> frame.
+/* Client only function.
+ * Parse a NEW_TOKEN frame at <pos> buffer position with <end> as end into <frm> frame.
  * Return 1 if succeeded (enough room at <pos> buffer position to parse this frame), 0 if not.
  */
 static int quic_parse_new_token_frame(struct quic_frame *frm, struct quic_conn *qc,
@@ -498,10 +500,11 @@ static int quic_parse_new_token_frame(struct quic_frame *frm, struct quic_conn *
 {
 	struct qf_new_token *new_token_frm = &frm->new_token;
 
-	if (!quic_dec_int(&new_token_frm->len, pos, end) || end - *pos < new_token_frm->len)
+	if (!quic_dec_int(&new_token_frm->len, pos, end) || end - *pos < new_token_frm->len ||
+	    sizeof(new_token_frm->data) < new_token_frm->len)
 		return 0;
 
-	new_token_frm->data = *pos;
+	memcpy(new_token_frm->data, *pos, new_token_frm->len);
 	*pos += new_token_frm->len;
 
 	return 1;