RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-18 09:24:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: quic: token IV was not computed using a strong secret

Browse Source 
Computing the token key and IV, a stronger derived key was used
to compute the key but the weak secret was still used to compute
the IV. This could be used to found the secret.

This patch fix this using the same derived key than the one used
to compute the token key.

This should backport until v2.6
This commit is contained in:
Emeric Brun 2023-07-03 12:14:41 +02:00 committed by Amaury Denoyelle
parent 65f18d65a3
commit 075b8f4cd8
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/quic_tls.c
View File

@ -775,7 +775,7 @@ int quic_tls_derive_retry_token_secret(const EVP_MD *md,
tmpkey_label, sizeof tmpkey_label - 1) || tmpkey_label, sizeof tmpkey_label - 1) ||
!quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey, !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
key_label, sizeof key_label - 1) || key_label, sizeof key_label - 1) ||
!quic_hkdf_expand(md, iv, ivlen, secret, secretlen, !quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey,
iv_label, sizeof iv_label - 1)) iv_label, sizeof iv_label - 1))
return 0; return 0;