forked from quic-go/quic-go
simplify the interaction with mint
This commit is contained in:
Marten Seemann
@@ -10,15 +10,14 @@ const (
|
||||
serverExporterLabel = "EXPORTER-QUIC server 1-RTT Secret"
|
||||
)
|
||||
|
||||
// MintController is an interface that bundles all methods needed to interact with mint
|
||||
type MintController interface {
|
||||
Handshake() mint.Alert
|
||||
// A TLSExporter gets the negotiated ciphersuite and computes exporter
|
||||
type TLSExporter interface {
|
||||
GetCipherSuite() mint.CipherSuiteParams
|
||||
ComputeExporter(label string, context []byte, keyLength int) ([]byte, error)
|
||||
}
|
||||
|
||||
// DeriveAESKeys derives the AES keys and creates a matching AES-GCM AEAD instance
|
||||
func DeriveAESKeys(mc MintController, pers protocol.Perspective) (AEAD, error) {
|
||||
func DeriveAESKeys(tls TLSExporter, pers protocol.Perspective) (AEAD, error) {
|
||||
var myLabel, otherLabel string
|
||||
if pers == protocol.PerspectiveClient {
|
||||
myLabel = clientExporterLabel
|
||||
@@ -27,20 +26,20 @@ func DeriveAESKeys(mc MintController, pers protocol.Perspective) (AEAD, error) {
|
||||
myLabel = serverExporterLabel
|
||||
otherLabel = clientExporterLabel
|
||||
}
|
||||
myKey, myIV, err := computeKeyAndIV(mc, myLabel)
|
||||
myKey, myIV, err := computeKeyAndIV(tls, myLabel)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
otherKey, otherIV, err := computeKeyAndIV(mc, otherLabel)
|
||||
otherKey, otherIV, err := computeKeyAndIV(tls, otherLabel)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewAEADAESGCM(otherKey, myKey, otherIV, myIV)
|
||||
}
|
||||
|
||||
func computeKeyAndIV(mc MintController, label string) (key, iv []byte, err error) {
|
||||
cs := mc.GetCipherSuite()
|
||||
secret, err := mc.ComputeExporter(label, nil, cs.Hash.Size())
|
||||
func computeKeyAndIV(tls TLSExporter, label string) (key, iv []byte, err error) {
|
||||
cs := tls.GetCipherSuite()
|
||||
secret, err := tls.ComputeExporter(label, nil, cs.Hash.Size())
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
@@ -10,16 +10,16 @@ import (
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
type mockMintController struct {
|
||||
type mockTLSExporter struct {
|
||||
hash crypto.Hash
|
||||
computerError error
|
||||
}
|
||||
|
||||
var _ MintController = &mockMintController{}
|
||||
var _ TLSExporter = &mockTLSExporter{}
|
||||
|
||||
func (c *mockMintController) Handshake() mint.Alert { panic("not implemented") }
|
||||
func (c *mockTLSExporter) Handshake() mint.Alert { panic("not implemented") }
|
||||
|
||||
func (c *mockMintController) GetCipherSuite() mint.CipherSuiteParams {
|
||||
func (c *mockTLSExporter) GetCipherSuite() mint.CipherSuiteParams {
|
||||
return mint.CipherSuiteParams{
|
||||
Hash: c.hash,
|
||||
KeyLen: 32,
|
||||
@@ -27,7 +27,7 @@ func (c *mockMintController) GetCipherSuite() mint.CipherSuiteParams {
|
||||
}
|
||||
}
|
||||
|
||||
func (c *mockMintController) ComputeExporter(label string, context []byte, keyLength int) ([]byte, error) {
|
||||
func (c *mockTLSExporter) ComputeExporter(label string, context []byte, keyLength int) ([]byte, error) {
|
||||
if c.computerError != nil {
|
||||
return nil, c.computerError
|
||||
}
|
||||
@@ -36,9 +36,9 @@ func (c *mockMintController) ComputeExporter(label string, context []byte, keyLe
|
||||
|
||||
var _ = Describe("Key Derivation", func() {
|
||||
It("derives keys", func() {
|
||||
clientAEAD, err := DeriveAESKeys(&mockMintController{hash: crypto.SHA256}, protocol.PerspectiveClient)
|
||||
clientAEAD, err := DeriveAESKeys(&mockTLSExporter{hash: crypto.SHA256}, protocol.PerspectiveClient)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
serverAEAD, err := DeriveAESKeys(&mockMintController{hash: crypto.SHA256}, protocol.PerspectiveServer)
|
||||
serverAEAD, err := DeriveAESKeys(&mockTLSExporter{hash: crypto.SHA256}, protocol.PerspectiveServer)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
ciphertext := clientAEAD.Seal(nil, []byte("foobar"), 0, []byte("aad"))
|
||||
data, err := serverAEAD.Open(nil, ciphertext, 0, []byte("aad"))
|
||||
@@ -47,9 +47,9 @@ var _ = Describe("Key Derivation", func() {
|
||||
})
|
||||
|
||||
It("fails when different hash functions are used", func() {
|
||||
clientAEAD, err := DeriveAESKeys(&mockMintController{hash: crypto.SHA256}, protocol.PerspectiveClient)
|
||||
clientAEAD, err := DeriveAESKeys(&mockTLSExporter{hash: crypto.SHA256}, protocol.PerspectiveClient)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
serverAEAD, err := DeriveAESKeys(&mockMintController{hash: crypto.SHA512}, protocol.PerspectiveServer)
|
||||
serverAEAD, err := DeriveAESKeys(&mockTLSExporter{hash: crypto.SHA512}, protocol.PerspectiveServer)
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
ciphertext := clientAEAD.Seal(nil, []byte("foobar"), 0, []byte("aad"))
|
||||
_, err = serverAEAD.Open(nil, ciphertext, 0, []byte("aad"))
|
||||
@@ -58,7 +58,7 @@ var _ = Describe("Key Derivation", func() {
|
||||
|
||||
It("fails when computing the exporter fails", func() {
|
||||
testErr := errors.New("test error")
|
||||
_, err := DeriveAESKeys(&mockMintController{hash: crypto.SHA256, computerError: testErr}, protocol.PerspectiveClient)
|
||||
_, err := DeriveAESKeys(&mockTLSExporter{hash: crypto.SHA256, computerError: testErr}, protocol.PerspectiveClient)
|
||||
Expect(err).To(MatchError(testErr))
|
||||
})
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user