diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h index 69194148d..3b0a40970 100644 --- a/include/haproxy/quic_tls.h +++ b/include/haproxy/quic_tls.h @@ -119,14 +119,14 @@ void quic_aead_iv_build(unsigned char *iv, size_t ivlen, unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn); /* HP protection (AES) */ -int quic_tls_dec_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, +int quic_tls_dec_hp_ctx_init(EVP_CIPHER_CTX **aes_ctx, const EVP_CIPHER *aes, unsigned char *key); -int quic_tls_enc_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, +int quic_tls_enc_hp_ctx_init(EVP_CIPHER_CTX **aes_ctx, const EVP_CIPHER *aes, unsigned char *key); -int quic_tls_aes_decrypt(unsigned char *out, +int quic_tls_hp_decrypt(unsigned char *out, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx); -int quic_tls_aes_encrypt(unsigned char *out, +int quic_tls_hp_encrypt(unsigned char *out, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx); @@ -959,7 +959,7 @@ static inline int qc_new_isecs(struct quic_conn *qc, if (!quic_tls_rx_ctx_init(&rx_ctx->ctx, rx_ctx->aead, rx_ctx->key)) goto err; - if (!quic_tls_enc_aes_ctx_init(&rx_ctx->hp_ctx, rx_ctx->hp, rx_ctx->hp_key)) + if (!quic_tls_enc_hp_ctx_init(&rx_ctx->hp_ctx, rx_ctx->hp, rx_ctx->hp_key)) goto err; if (!quic_tls_derive_keys(ctx->tx.aead, ctx->tx.hp, ctx->tx.md, ver, @@ -972,7 +972,7 @@ static inline int qc_new_isecs(struct quic_conn *qc, if (!quic_tls_tx_ctx_init(&tx_ctx->ctx, tx_ctx->aead, tx_ctx->key)) goto err; - if (!quic_tls_enc_aes_ctx_init(&tx_ctx->hp_ctx, tx_ctx->hp, tx_ctx->hp_key)) + if (!quic_tls_enc_hp_ctx_init(&tx_ctx->hp_ctx, tx_ctx->hp, tx_ctx->hp_key)) goto err; TRACE_LEAVE(QUIC_EV_CONN_ISEC, qc, rx_init_sec, tx_init_sec); diff --git a/src/quic_rx.c b/src/quic_rx.c index 083454272..462f996d0 100644 --- a/src/quic_rx.c +++ b/src/quic_rx.c @@ -91,7 +91,7 @@ static int qc_do_rm_hp(struct quic_conn *qc, sample = pn + QUIC_PACKET_PN_MAXLEN; - if (!quic_tls_aes_decrypt(mask, sample, sizeof mask, tls_ctx->rx.hp_ctx)) { + if (!quic_tls_hp_decrypt(mask, sample, sizeof mask, tls_ctx->rx.hp_ctx)) { TRACE_ERROR("HP removing failed", QUIC_EV_CONN_RMHP, qc, pkt); goto leave; } diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 0b27c7403..79c56d3bb 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -217,7 +217,7 @@ static int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t goto leave; } - if (!quic_tls_dec_aes_ctx_init(&rx->hp_ctx, rx->hp, rx->hp_key)) { + if (!quic_tls_dec_hp_ctx_init(&rx->hp_ctx, rx->hp, rx->hp_key)) { TRACE_ERROR("could not initial RX TLS cipher context for HP", QUIC_EV_CONN_RWSEC, qc); goto leave; } @@ -260,7 +260,7 @@ write: goto leave; } - if (!quic_tls_enc_aes_ctx_init(&tx->hp_ctx, tx->hp, tx->hp_key)) { + if (!quic_tls_enc_hp_ctx_init(&tx->hp_ctx, tx->hp, tx->hp_key)) { TRACE_ERROR("could not initial TX TLS cipher context for HP", QUIC_EV_CONN_RWSEC, qc); goto leave; } diff --git a/src/quic_tls.c b/src/quic_tls.c index 94d9e7f82..29fa73477 100644 --- a/src/quic_tls.c +++ b/src/quic_tls.c @@ -593,9 +593,9 @@ int quic_tls_rx_ctx_init(QUIC_AEAD_CTX **rx_ctx, return 0; } -/* Initialize <*aes_ctx> AES cipher context with as key for encryption */ -int quic_tls_enc_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, - const EVP_CIPHER *aes, unsigned char *key) +/* Initialize <*hp_ctx> cipher context with as key for header protection encryption */ +int quic_tls_enc_hp_ctx_init(EVP_CIPHER_CTX **hp_ctx, + const EVP_CIPHER *hp, unsigned char *key) { EVP_CIPHER_CTX *ctx; @@ -603,10 +603,10 @@ int quic_tls_enc_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, if (!ctx) return 0; - if (!EVP_EncryptInit_ex(ctx, aes, NULL, key, NULL)) + if (!EVP_EncryptInit_ex(ctx, hp, NULL, key, NULL)) goto err; - *aes_ctx = ctx; + *hp_ctx = ctx; return 1; err: @@ -614,12 +614,12 @@ int quic_tls_enc_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, return 0; } -/* Encrypt bytes from buffer into with as AES +/* Encrypt bytes from buffer into with as * cipher context. This is the responsibility of the caller to check there * is at least bytes of available space in buffer. * Return 1 if succeeded, 0 if not. */ -int quic_tls_aes_encrypt(unsigned char *out, +int quic_tls_hp_encrypt(unsigned char *out, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { @@ -633,9 +633,9 @@ int quic_tls_aes_encrypt(unsigned char *out, return 1; } -/* Initialize <*aes_ctx> AES cipher context with as key for decryption */ -int quic_tls_dec_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, - const EVP_CIPHER *aes, unsigned char *key) +/* Initialize <*hp_ctx> cipher context with as key for header protection decryption */ +int quic_tls_dec_hp_ctx_init(EVP_CIPHER_CTX **hp_ctx, + const EVP_CIPHER *hp, unsigned char *key) { EVP_CIPHER_CTX *ctx; @@ -643,10 +643,10 @@ int quic_tls_dec_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, if (!ctx) return 0; - if (!EVP_DecryptInit_ex(ctx, aes, NULL, key, NULL)) + if (!EVP_DecryptInit_ex(ctx, hp, NULL, key, NULL)) goto err; - *aes_ctx = ctx; + *hp_ctx = ctx; return 1; err: @@ -654,12 +654,12 @@ int quic_tls_dec_aes_ctx_init(EVP_CIPHER_CTX **aes_ctx, return 0; } -/* Decrypt data into with as AES cipher context. +/* Decrypt data into with as cipher context. * This is the responsibility of the caller to check there is at least * bytes into buffer. * Return 1 if succeeded, 0 if not. */ -int quic_tls_aes_decrypt(unsigned char *out, +int quic_tls_hp_decrypt(unsigned char *out, const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx) { diff --git a/src/quic_tx.c b/src/quic_tx.c index 37ff14fea..550ac1bb9 100644 --- a/src/quic_tx.c +++ b/src/quic_tx.c @@ -1471,13 +1471,13 @@ void quic_apply_header_protection(struct quic_conn *qc, unsigned char *pos, * and at most 4 bytes for the packet number */ unsigned char mask[5] = {0}; - EVP_CIPHER_CTX *aes_ctx = tls_ctx->tx.hp_ctx; + EVP_CIPHER_CTX *hp_ctx = tls_ctx->tx.hp_ctx; TRACE_ENTER(QUIC_EV_CONN_TXPKT, qc); *fail = 0; - if (!quic_tls_aes_encrypt(mask, pn + QUIC_PACKET_PN_MAXLEN, sizeof mask, aes_ctx)) { + if (!quic_tls_hp_encrypt(mask, pn + QUIC_PACKET_PN_MAXLEN, sizeof mask, hp_ctx)) { TRACE_ERROR("could not apply header protection", QUIC_EV_CONN_TXPKT, qc); *fail = 1; goto out;