diff --git a/internal/handshake/aead.go b/internal/handshake/aead.go index 26d481df..f11372c8 100644 --- a/internal/handshake/aead.go +++ b/internal/handshake/aead.go @@ -10,11 +10,11 @@ import ( type sealer struct { iv []byte aead cipher.AEAD - pnEncrypter cipher.Block + hpEncrypter cipher.Block // use a single slice to avoid allocations nonceBuf []byte - pnMask []byte + hpMask []byte // short headers protect 5 bits in the first byte, long headers only 4 is1RTT bool @@ -22,14 +22,14 @@ type sealer struct { var _ Sealer = &sealer{} -func newSealer(aead cipher.AEAD, iv []byte, pnEncrypter cipher.Block, is1RTT bool) Sealer { +func newSealer(aead cipher.AEAD, iv []byte, hpEncrypter cipher.Block, is1RTT bool) Sealer { return &sealer{ iv: iv, aead: aead, nonceBuf: make([]byte, aead.NonceSize()), is1RTT: is1RTT, - pnEncrypter: pnEncrypter, - pnMask: make([]byte, pnEncrypter.BlockSize()), + hpEncrypter: hpEncrypter, + hpMask: make([]byte, hpEncrypter.BlockSize()), } } @@ -46,17 +46,17 @@ func (s *sealer) Seal(dst, src []byte, pn protocol.PacketNumber, ad []byte) []by } func (s *sealer) EncryptHeader(sample []byte, firstByte *byte, pnBytes []byte) { - if len(sample) != s.pnEncrypter.BlockSize() { + if len(sample) != s.hpEncrypter.BlockSize() { panic("invalid sample size") } - s.pnEncrypter.Encrypt(s.pnMask, sample) + s.hpEncrypter.Encrypt(s.hpMask, sample) if s.is1RTT { - *firstByte ^= s.pnMask[0] & 0x1f + *firstByte ^= s.hpMask[0] & 0x1f } else { - *firstByte ^= s.pnMask[0] & 0xf + *firstByte ^= s.hpMask[0] & 0xf } for i := range pnBytes { - pnBytes[i] ^= s.pnMask[i+1] + pnBytes[i] ^= s.hpMask[i+1] } } @@ -71,7 +71,7 @@ type opener struct { // use a single slice to avoid allocations nonceBuf []byte - pnMask []byte + hpMask []byte // short headers protect 5 bits in the first byte, long headers only 4 is1RTT bool @@ -86,7 +86,7 @@ func newOpener(aead cipher.AEAD, iv []byte, pnDecrypter cipher.Block, is1RTT boo nonceBuf: make([]byte, aead.NonceSize()), is1RTT: is1RTT, pnDecrypter: pnDecrypter, - pnMask: make([]byte, pnDecrypter.BlockSize()), + hpMask: make([]byte, pnDecrypter.BlockSize()), } } @@ -106,13 +106,13 @@ func (o *opener) DecryptHeader(sample []byte, firstByte *byte, pnBytes []byte) { if len(sample) != o.pnDecrypter.BlockSize() { panic("invalid sample size") } - o.pnDecrypter.Encrypt(o.pnMask, sample) + o.pnDecrypter.Encrypt(o.hpMask, sample) if o.is1RTT { - *firstByte ^= o.pnMask[0] & 0x1f + *firstByte ^= o.hpMask[0] & 0x1f } else { - *firstByte ^= o.pnMask[0] & 0xf + *firstByte ^= o.hpMask[0] & 0xf } for i := range pnBytes { - pnBytes[i] ^= o.pnMask[i+1] + pnBytes[i] ^= o.hpMask[i+1] } } diff --git a/internal/handshake/crypto_setup.go b/internal/handshake/crypto_setup.go index e5afaab6..934084d2 100644 --- a/internal/handshake/crypto_setup.go +++ b/internal/handshake/crypto_setup.go @@ -412,15 +412,15 @@ func (h *cryptoSetup) ReadHandshakeMessage() ([]byte, error) { func (h *cryptoSetup) SetReadKey(suite *qtls.CipherSuite, trafficSecret []byte) { key := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "key", suite.KeyLen()) iv := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "iv", suite.IVLen()) - pnKey := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "pn", suite.KeyLen()) - pnDecrypter, err := aes.NewCipher(pnKey) + hpKey := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "pn", suite.KeyLen()) + hpDecrypter, err := aes.NewCipher(hpKey) if err != nil { panic(fmt.Sprintf("error creating new AES cipher: %s", err)) } opener := newOpener( suite.AEAD(key, iv), iv, - pnDecrypter, + hpDecrypter, h.readEncLevel == protocol.Encryption1RTT, ) @@ -442,15 +442,15 @@ func (h *cryptoSetup) SetReadKey(suite *qtls.CipherSuite, trafficSecret []byte) func (h *cryptoSetup) SetWriteKey(suite *qtls.CipherSuite, trafficSecret []byte) { key := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "key", suite.KeyLen()) iv := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "iv", suite.IVLen()) - pnKey := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "pn", suite.KeyLen()) - pnEncrypter, err := aes.NewCipher(pnKey) + hpKey := qtls.HkdfExpandLabel(suite.Hash(), trafficSecret, []byte{}, "pn", suite.KeyLen()) + hpEncrypter, err := aes.NewCipher(hpKey) if err != nil { panic(fmt.Sprintf("error creating new AES cipher: %s", err)) } sealer := newSealer( suite.AEAD(key, iv), iv, - pnEncrypter, + hpEncrypter, h.writeEncLevel == protocol.Encryption1RTT, ) diff --git a/internal/handshake/initial_aead.go b/internal/handshake/initial_aead.go index 1a6efb08..a626df2a 100644 --- a/internal/handshake/initial_aead.go +++ b/internal/handshake/initial_aead.go @@ -21,8 +21,8 @@ func newInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective) (Se mySecret = serverSecret otherSecret = clientSecret } - myKey, myPNKey, myIV := computeInitialKeyAndIV(mySecret) - otherKey, otherPNKey, otherIV := computeInitialKeyAndIV(otherSecret) + myKey, myHPKey, myIV := computeInitialKeyAndIV(mySecret) + otherKey, otherHPKey, otherIV := computeInitialKeyAndIV(otherSecret) encrypterCipher, err := aes.NewCipher(myKey) if err != nil { @@ -32,7 +32,7 @@ func newInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective) (Se if err != nil { return nil, nil, err } - pnEncrypter, err := aes.NewCipher(myPNKey) + hpEncrypter, err := aes.NewCipher(myHPKey) if err != nil { return nil, nil, err } @@ -44,11 +44,11 @@ func newInitialAEAD(connID protocol.ConnectionID, pers protocol.Perspective) (Se if err != nil { return nil, nil, err } - pnDecrypter, err := aes.NewCipher(otherPNKey) + hpDecrypter, err := aes.NewCipher(otherHPKey) if err != nil { return nil, nil, err } - return newSealer(encrypter, myIV, pnEncrypter, false), newOpener(decrypter, otherIV, pnDecrypter, false), nil + return newSealer(encrypter, myIV, hpEncrypter, false), newOpener(decrypter, otherIV, hpDecrypter, false), nil } func computeSecrets(connID protocol.ConnectionID) (clientSecret, serverSecret []byte) { @@ -58,9 +58,9 @@ func computeSecrets(connID protocol.ConnectionID) (clientSecret, serverSecret [] return } -func computeInitialKeyAndIV(secret []byte) (key, pnKey, iv []byte) { +func computeInitialKeyAndIV(secret []byte) (key, hpKey, iv []byte) { key = qtls.HkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16) - pnKey = qtls.HkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic hp", 16) + hpKey = qtls.HkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic hp", 16) iv = qtls.HkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12) return } diff --git a/internal/handshake/initial_aead_test.go b/internal/handshake/initial_aead_test.go index 3670bc45..972d18c3 100644 --- a/internal/handshake/initial_aead_test.go +++ b/internal/handshake/initial_aead_test.go @@ -32,12 +32,12 @@ var _ = Describe("Initial AEAD using AES-GCM", func() { It("computes the client key and IV", func() { clientSecret, _ := computeSecrets(connID) - key, pnKey, iv := computeInitialKeyAndIV(clientSecret) + key, hpKey, iv := computeInitialKeyAndIV(clientSecret) Expect(key).To(Equal([]byte{ 0x86, 0xd1, 0x83, 0x04, 0x80, 0xb4, 0x0f, 0x86, 0xcf, 0x9d, 0x68, 0xdc, 0xad, 0xf3, 0x5d, 0xfe, })) - Expect(pnKey).To(Equal([]byte{ + Expect(hpKey).To(Equal([]byte{ 0xcd, 0x25, 0x3a, 0x36, 0xff, 0x93, 0x93, 0x7c, 0x46, 0x93, 0x84, 0xa8, 0x23, 0xaf, 0x6c, 0x56, })) @@ -49,12 +49,12 @@ var _ = Describe("Initial AEAD using AES-GCM", func() { It("computes the server key and IV", func() { _, serverSecret := computeSecrets(connID) - key, pnKey, iv := computeInitialKeyAndIV(serverSecret) + key, hpKey, iv := computeInitialKeyAndIV(serverSecret) Expect(key).To(Equal([]byte{ 0x2c, 0x78, 0x63, 0x3e, 0x20, 0x6e, 0x99, 0xad, 0x25, 0x19, 0x64, 0xf1, 0x9f, 0x6d, 0xcd, 0x6d, })) - Expect(pnKey).To(Equal([]byte{ + Expect(hpKey).To(Equal([]byte{ 0x25, 0x79, 0xd8, 0x69, 0x6f, 0x85, 0xed, 0xa6, 0x8d, 0x35, 0x02, 0xb6, 0x55, 0x96, 0x58, 0x6b, }))