RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: quic: Wrong token length check (quic_generate_retry_token()) 

This bug would never occur because the buffer supplied to quic_generate_retry_token()
to build a Retry token is large enough to embed such a token. Anyway, this patch
fixes quic_generate_retry_token() implementation.

There were two errors: this is the ODCID which is added to the token. Furthermore
the timestamp was not taken into an account.

Must be backported to 2.6 and 2.7.
This commit is contained in:
Frdric Lcaille 2023-05-15 17:40:00 +02:00 committed by Willy Tarreau
parent aaf32f0c83
commit 6d6ddb2ce5
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/quic_conn.c
View File

@ -6396,11 +6396,11 @@ static int quic_generate_retry_token(unsigned char *token, size_t len,
TRACE_ENTER(QUIC_EV_CONN_TXPKT);
/* We copy the odcid into the token, prefixed by its one byte
* length, the format token byte. It is followed by an AEAD TAG, and finally
/* The token is made of the token format byte, the ODCID prefixed by its one byte
* length, the creation timestamp, an AEAD TAG, and finally
* the random bytes used to derive the secret to encrypt the token.
*/
if (1 + dcid->len + 1 + QUIC_TLS_TAG_LEN + sizeof salt > len)
if (1 + odcid->len + 1 + sizeof(timestamp) + QUIC_TLS_TAG_LEN + QUIC_RETRY_TOKEN_SALTLEN > len)
goto err;
aadlen = quic_generate_retry_token_aad(aad, version, dcid, addr);