From 075b8f4cd897e8aab682a54db4f1dcd0b1411167 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Mon, 3 Jul 2023 12:14:41 +0200 Subject: [PATCH] BUG/MEDIUM: quic: token IV was not computed using a strong secret Computing the token key and IV, a stronger derived key was used to compute the key but the weak secret was still used to compute the IV. This could be used to found the secret. This patch fix this using the same derived key than the one used to compute the token key. This should backport until v2.6 --- src/quic_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/quic_tls.c b/src/quic_tls.c index f80e486e6..5e4366368 100644 --- a/src/quic_tls.c +++ b/src/quic_tls.c @@ -775,7 +775,7 @@ int quic_tls_derive_retry_token_secret(const EVP_MD *md, tmpkey_label, sizeof tmpkey_label - 1) || !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey, key_label, sizeof key_label - 1) || - !quic_hkdf_expand(md, iv, ivlen, secret, secretlen, + !quic_hkdf_expand(md, iv, ivlen, tmpkey, sizeof tmpkey, iv_label, sizeof iv_label - 1)) return 0;