diff --git a/go.mod b/go.mod index 602b7e86..dbe67dcb 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ require ( github.com/marten-seemann/qtls v0.9.0 github.com/onsi/ginkgo v1.11.0 github.com/onsi/gomega v1.8.1 - golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d + golang.org/x/crypto v0.0.0-20200423211502-4bdfaf469ed5 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 golang.org/x/sync v0.0.0-20190423024810-112230192c58 ) diff --git a/go.sum b/go.sum index 37d79493..4f72452f 100644 --- a/go.sum +++ b/go.sum @@ -127,6 +127,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d h1:1ZiEyfaQIg3Qh0EoqpwAakHVhecoE5wlSg5GjnafJGw= golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200423211502-4bdfaf469ed5 h1:Q7tZBpemrlsc2I7IyODzhtallWRSm4Q0d09pL6XbQtU= +golang.org/x/crypto v0.0.0-20200423211502-4bdfaf469ed5/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= diff --git a/internal/handshake/aead_test.go b/internal/handshake/aead_test.go index 0149045d..7638b652 100644 --- a/internal/handshake/aead_test.go +++ b/internal/handshake/aead_test.go @@ -1,6 +1,7 @@ package handshake import ( + "bytes" "crypto/aes" "crypto/cipher" "crypto/rand" @@ -79,6 +80,24 @@ var _ = Describe("Long Header AEAD", func() { Expect(lastFourBitsDifferent).To(BeNumerically(">", 75)) }) + It("encrypts and encrypts the header, for a 0xfff..fff sample", func() { + sealer, opener := getSealerAndOpener() + var lastFourBitsDifferent int + for i := 0; i < 100; i++ { + sample := bytes.Repeat([]byte{0xff}, 16) + header := []byte{0xb5, 1, 2, 3, 4, 5, 6, 7, 8, 0xde, 0xad, 0xbe, 0xef} + sealer.EncryptHeader(sample, &header[0], header[9:13]) + if header[0]&0xf != 0xb5&0xf { + lastFourBitsDifferent++ + } + Expect(header[0] & 0xf0).To(Equal(byte(0xb5 & 0xf0))) + Expect(header[1:9]).To(Equal([]byte{1, 2, 3, 4, 5, 6, 7, 8})) + Expect(header[9:13]).ToNot(Equal([]byte{0xde, 0xad, 0xbe, 0xef})) + opener.DecryptHeader(sample, &header[0], header[9:13]) + Expect(header).To(Equal([]byte{0xb5, 1, 2, 3, 4, 5, 6, 7, 8, 0xde, 0xad, 0xbe, 0xef})) + } + }) + It("fails to decrypt the header when using a different sample", func() { sealer, opener := getSealerAndOpener() header := []byte{0xb5, 1, 2, 3, 4, 5, 6, 7, 8, 0xde, 0xad, 0xbe, 0xef} diff --git a/internal/handshake/header_protector.go b/internal/handshake/header_protector.go index 26384d7f..dad59697 100644 --- a/internal/handshake/header_protector.go +++ b/internal/handshake/header_protector.go @@ -3,7 +3,6 @@ package handshake import ( "crypto/aes" "crypto/cipher" - "crypto/rand" "encoding/binary" "fmt" @@ -93,27 +92,10 @@ func newChaChaHeaderProtector(suite *qtls.CipherSuiteTLS13, trafficSecret []byte } func (p *chachaHeaderProtector) DecryptHeader(sample []byte, firstByte *byte, hdrBytes []byte) { - // Workaround for https://github.com/lucas-clemente/quic-go/issues/2326. - // The ChaCha20 implementation panics when the nonce is 0xffffffff. - // Don't apply header protection in that case. - // The packet will end up undecryptable, but it only applies to 1 in 2^32 packets. - if sample[0] == 0xff && sample[1] == 0xff && sample[2] == 0xff && sample[3] == 0xff { - return - } p.apply(sample, firstByte, hdrBytes) } func (p *chachaHeaderProtector) EncryptHeader(sample []byte, firstByte *byte, hdrBytes []byte) { - // Workaround for https://github.com/lucas-clemente/quic-go/issues/2326. - // The ChaCha20 implementation panics when the nonce is 0xffffffff. - // Apply header protection with a random mask, in order to not leak any data. - // The packet will end up undecryptable, but this only applies to 1 in 2^32 packets. - if sample[0] == 0xff && sample[1] == 0xff && sample[2] == 0xff && sample[3] == 0xff { - if _, err := rand.Read(p.mask[:]); err != nil { - panic("couldn't get rand for ChaCha20 bug workaround") - } - p.applyMask(firstByte, hdrBytes) - } p.apply(sample, firstByte, hdrBytes) }