From f2f4a4eee5a3979e8093bc6ffe713baa663a6437 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Tue, 5 Apr 2022 12:18:46 +0200 Subject: [PATCH] MINOR: quic_tls: Stop hardcoding cipher IV lengths For QUIC AEAD usage, the number of bytes for the IVs is always 12. --- include/haproxy/quic_tls-t.h | 5 ++++- src/quic_tls.c | 4 ++-- src/xprt_quic.c | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/include/haproxy/quic_tls-t.h b/include/haproxy/quic_tls-t.h index 59a8186e4..95fefc486 100644 --- a/include/haproxy/quic_tls-t.h +++ b/include/haproxy/quic_tls-t.h @@ -86,8 +86,11 @@ enum quic_tls_pktns { QUIC_TLS_PKTNS_MAX, }; -/* The ciphersuites for AEAD QUIC-TLS have 16-bytes authentication tag */ +/* The ciphersuites for AEAD QUIC-TLS have 16-bytes authentication tags and + * 12 bytes for IVs. + */ #define QUIC_TLS_TAG_LEN 16 +#define QUIC_TLS_IV_LEN 12 extern unsigned char initial_salt[20]; diff --git a/src/quic_tls.c b/src/quic_tls.c index cff461c8d..f8d11a305 100644 --- a/src/quic_tls.c +++ b/src/quic_tls.c @@ -317,7 +317,7 @@ int quic_tls_rx_ctx_init(EVP_CIPHER_CTX **rx_ctx, return 0; if (!EVP_DecryptInit_ex(ctx, aead, NULL, NULL, NULL) || - !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) || + !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, QUIC_TLS_IV_LEN, NULL) || (aead_nid == NID_aes_128_ccm && !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, NULL)) || !EVP_DecryptInit_ex(ctx, NULL, NULL, key, NULL)) @@ -346,7 +346,7 @@ int quic_tls_tx_ctx_init(EVP_CIPHER_CTX **tx_ctx, return 0; if (!EVP_EncryptInit_ex(ctx, aead, NULL, NULL, NULL) || - !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) || + !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, QUIC_TLS_IV_LEN, NULL) || (aead_nid == NID_aes_128_ccm && !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, NULL)) || !EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL)) diff --git a/src/xprt_quic.c b/src/xprt_quic.c index 01bf9e055..d120efcd5 100644 --- a/src/xprt_quic.c +++ b/src/xprt_quic.c @@ -1334,7 +1334,7 @@ static int quic_packet_encrypt(unsigned char *payload, size_t payload_len, unsigned char *aad, size_t aad_len, uint64_t pn, struct quic_tls_ctx *tls_ctx, struct quic_conn *qc) { - unsigned char iv[12]; + unsigned char iv[QUIC_TLS_IV_LEN]; unsigned char *tx_iv = tls_ctx->tx.iv; size_t tx_iv_sz = tls_ctx->tx.ivlen; struct enc_debug_info edi; @@ -1364,7 +1364,7 @@ static int quic_packet_encrypt(unsigned char *payload, size_t payload_len, static int qc_pkt_decrypt(struct quic_rx_packet *pkt, struct quic_enc_level *qel) { int ret, kp_changed; - unsigned char iv[12]; + unsigned char iv[QUIC_TLS_IV_LEN]; struct quic_tls_ctx *tls_ctx = &qel->tls_ctx; unsigned char *rx_iv = tls_ctx->rx.iv; size_t rx_iv_sz = tls_ctx->rx.ivlen;