MEDIUM: quic: add key argument to header protection crypto functions

In order to prepare the code for using Chacha20 with the EVP_AEAD API,
both quic_tls_hp_decrypt() and quic_tls_hp_encrypt() need an extra key
argument.

Indeed Chacha20 does not exists as an EVP_CIPHER in AWS-LC, so the key
won't be embedded into the EVP_CIPHER_CTX, so we need an extra parameter
to use it.

diff --git a/include/haproxy/quic_tls.h b/include/haproxy/quic_tls.h
index 3b0a40970a3d0b0bf523409a7b8f4a78afcf023c..9cc8f10f1a6ff0a89d641e2b2d814315d1f259bf 100644 (file)
--- a/include/haproxy/quic_tls.h
+++ b/include/haproxy/quic_tls.h
@@ -125,10 +125,10 @@ int quic_tls_enc_hp_ctx_init(EVP_CIPHER_CTX **aes_ctx,
                               const EVP_CIPHER *aes, unsigned char *key);
 int quic_tls_hp_decrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx);
+                         EVP_CIPHER_CTX *ctx, unsigned char *key);
 int quic_tls_hp_encrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx);
+                         EVP_CIPHER_CTX *ctx, unsigned char *key);
 
 int quic_tls_key_update(struct quic_conn *qc);
 void quic_tls_rotate_keys(struct quic_conn *qc);

diff --git a/src/quic_rx.c b/src/quic_rx.c
index 462f996d00f41c8c7129cf7a443ab1db3f562657..e2dd8fbd06e68a97b80af3032d81d4569f1c9982 100644 (file)
--- a/src/quic_rx.c
+++ b/src/quic_rx.c
@@ -91,7 +91,7 @@ static int qc_do_rm_hp(struct quic_conn *qc,
 
        sample = pn + QUIC_PACKET_PN_MAXLEN;
 
-       if (!quic_tls_hp_decrypt(mask, sample, sizeof mask, tls_ctx->rx.hp_ctx)) {
+       if (!quic_tls_hp_decrypt(mask, sample, sizeof mask, tls_ctx->rx.hp_ctx, tls_ctx->rx.hp_key)) {
                TRACE_ERROR("HP removing failed", QUIC_EV_CONN_RMHP, qc, pkt);
                goto leave;
        }

diff --git a/src/quic_tls.c b/src/quic_tls.c
index 29fa7347714acc53421aaed8f64ec7202cfeb369..566584f789f7cd0b842422b9eed30c87c646d285 100644 (file)
--- a/src/quic_tls.c
+++ b/src/quic_tls.c
@@ -621,7 +621,7 @@ int quic_tls_enc_hp_ctx_init(EVP_CIPHER_CTX **hp_ctx,
  */
 int quic_tls_hp_encrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx)
+                         EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
        int ret = 0;
 
@@ -661,7 +661,7 @@ int quic_tls_dec_hp_ctx_init(EVP_CIPHER_CTX **hp_ctx,
  */
 int quic_tls_hp_decrypt(unsigned char *out,
                          const unsigned char *in, size_t inlen,
-                         EVP_CIPHER_CTX *ctx)
+                         EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
        int ret = 0;
 

diff --git a/src/quic_tx.c b/src/quic_tx.c
index 550ac1bb942dbce494e90deba4faa59bb06db0dd..5f81978abda3facf614cc80bb2b881bbd7d17ffc 100644 (file)
--- a/src/quic_tx.c
+++ b/src/quic_tx.c
@@ -1477,7 +1477,7 @@ void quic_apply_header_protection(struct quic_conn *qc, unsigned char *pos,
 
        *fail = 0;
 
-       if (!quic_tls_hp_encrypt(mask, pn + QUIC_PACKET_PN_MAXLEN, sizeof mask, hp_ctx)) {
+       if (!quic_tls_hp_encrypt(mask, pn + QUIC_PACKET_PN_MAXLEN, sizeof mask, hp_ctx, tls_ctx->tx.hp_key)) {
                TRACE_ERROR("could not apply header protection", QUIC_EV_CONN_TXPKT, qc);
                *fail = 1;
                goto out;