mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic: Initialize stateless reset tokens with HKDF secrets

Browse Source 
Add quic_stateless_reset_token_init() wrapper function around
quic_hkdf_extract_and_expand() function to derive the stateless reset tokens
attached to the connection IDs from "cluster-secret" configuration setting
and call it each time we instantiate a QUIC connection ID.
This commit is contained in:
Frédéric Lécaille 2022-05-06 15:07:20 +02:00
parent 0226c521b0
commit 28a1795515
1 changed files with 43 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
src/xprt_quic.c
View File

@ -3262,6 +3262,46 @@ int qc_send_ppkts(struct qring *qr, struct ssl_sock_ctx *ctx)
return 1; return 1;
} }
/* Copy into <buf> buffer a stateless reset token depending on the
* <salt> salt input. This is the cluster secret which will be derived
* as HKDF input secret to generate this token.
* Return 1 if succeeded, 0 if not.
*/
static int quic_stateless_reset_token_cpy(unsigned char *buf, size_t len,
const unsigned char *salt, size_t saltlen)
{
/* Input secret */
const unsigned char *key = (const unsigned char *)global.cluster_secret;
size_t keylen = strlen(global.cluster_secret);
/* Info */
const unsigned char label[] = "stateless token";
size_t labellen = sizeof label - 1;
return quic_hkdf_extract_and_expand(EVP_sha256(), buf, len,
key, keylen, salt, saltlen, label, labellen);
}
/* Initialize the stateless reset token attached to <cid> connection ID.
* Returns 1 if succeeded, 0 if not.
*/
static int quic_stateless_reset_token_init(struct quic_connection_id *quic_cid)
{
if (global.cluster_secret) {
/* Output secret */
unsigned char *token = quic_cid->stateless_reset_token;
size_t tokenlen = sizeof quic_cid->stateless_reset_token;
/* Salt */
const unsigned char *cid = quic_cid->cid.data;
size_t cidlen = quic_cid->cid.len;
return quic_stateless_reset_token_cpy(token, tokenlen, cid, cidlen);
}
else {
return RAND_bytes(quic_cid->stateless_reset_token,
sizeof quic_cid->stateless_reset_token) == 1;
}
}
/* Allocate a new CID with <seq_num> as sequence number and attach it to <root> /* Allocate a new CID with <seq_num> as sequence number and attach it to <root>
* ebtree. * ebtree.
* *
@ -3282,14 +3322,12 @@ static struct quic_connection_id *new_quic_cid(struct eb_root *root,
return NULL; return NULL;
cid->cid.len = QUIC_HAP_CID_LEN; cid->cid.len = QUIC_HAP_CID_LEN;
if (RAND_bytes(cid->cid.data, cid->cid.len) != 1 || if (RAND_bytes(cid->cid.data, cid->cid.len) != 1)
RAND_bytes(cid->stateless_reset_token,
sizeof cid->stateless_reset_token) != 1) {
fprintf(stderr, "Could not generate %d random bytes\n", cid->cid.len);
goto err; goto err;
}
quic_pin_cid_to_tid(cid->cid.data, tid); quic_pin_cid_to_tid(cid->cid.data, tid);
if (quic_stateless_reset_token_init(cid) != 1)
goto err;
cid->qc = qc; cid->qc = qc;