Add parameter

Author: larseggert

fuzz/fuzz_targets/client_initial.rs

@@ -19,7 +19,7 @@ fuzz_target!(|data: &[u8]| {
     let Some((header, d_cid, s_cid, payload)) = decode_initial_header(&ci, Role::Client) else {
         return;
     };
-    let (aead, hp) = initial_aead_and_hp(d_cid, Role::Client);
+    let (aead, _, hp) = initial_aead_and_hp(d_cid, Role::Client);
     let (_, pn) = header_protection::remove(&hp, header, payload);
 
     let mut payload_enc = Encoder::with_capacity(MIN_INITIAL_PACKET_SIZE);

fuzz/fuzz_targets/server_initial.rs

@@ -25,7 +25,7 @@ fuzz_target!(|data: &[u8]| {
     let Some((header, d_cid, s_cid, payload)) = decode_initial_header(&si, Role::Server) else {
         return;
     };
-    let (aead, hp) = initial_aead_and_hp(d_cid, Role::Server);
+    let (aead, _, hp) = initial_aead_and_hp(d_cid, Role::Server);
     let (_, pn) = header_protection::remove(&hp, header, payload);
 
     let mut payload_enc = Encoder::with_capacity(MIN_INITIAL_PACKET_SIZE);

neqo-transport/src/connection/tests/resumption.rs

@@ -108,11 +108,11 @@ fn ticket_rtt(rtt: Duration) -> Duration {
         decode_initial_header(&server_initial, Role::Server).unwrap();
 
     // Now decrypt the packet.
-    let (aead, hp) = initial_aead_and_hp(&client_dcid, Role::Server);
+    let (aead_enc, aead_dec, hp) = initial_aead_and_hp(&client_dcid, Role::Server);
     let (header, pn) = header_protection::remove(&hp, protected_header, payload);
     let pn_len = header.len() - protected_header.len();
     let mut buf = vec![0; payload.len()];
-    let mut plaintext = aead
+    let mut plaintext = aead_dec
         .decrypt(pn, &header, &payload[pn_len..], &mut buf)
         .unwrap()
         .to_owned();
@@ -130,7 +130,8 @@ fn ticket_rtt(rtt: Duration) -> Duration {
     // And rebuild a packet.
     let mut packet = header.clone();
     packet.resize(MIN_INITIAL_PACKET_SIZE, 0);
-    aead.encrypt(pn, &header, &plaintext, &mut packet[header.len()..])
+    aead_enc
+        .encrypt(pn, &header, &plaintext, &mut packet[header.len()..])
         .unwrap();
     header_protection::apply(&hp, &mut packet, protected_header.len()..header.len());
     let si = Datagram::new(

neqo-transport/tests/connection.rs

@@ -109,11 +109,11 @@ fn reorder_server_initial() {
         decode_initial_header(&server_initial, Role::Server).unwrap();
 
     // Now decrypt the packet.
-    let (aead, hp) = initial_aead_and_hp(&client_dcid, Role::Server);
+    let (aead_enc, aead_dec, hp) = initial_aead_and_hp(&client_dcid, Role::Server);
     let (header, pn) = header_protection::remove(&hp, protected_header, payload);
     let pn_len = header.len() - protected_header.len();
     let mut buf = vec![0; payload.len()];
-    let mut plaintext = aead
+    let mut plaintext = aead_dec
         .decrypt(pn, &header, &payload[pn_len..], &mut buf)
         .unwrap()
         .to_owned();
@@ -132,7 +132,8 @@ fn reorder_server_initial() {
     // And rebuild a packet.
     let mut packet = header.clone();
     packet.resize(MIN_INITIAL_PACKET_SIZE, 0);
-    aead.encrypt(pn, &header, &plaintext, &mut packet[header.len()..])
+    aead_enc
+        .encrypt(pn, &header, &plaintext, &mut packet[header.len()..])
         .unwrap();
     header_protection::apply(&hp, &mut packet, protected_header.len()..header.len());
     let reordered = Datagram::new(
@@ -165,7 +166,7 @@ fn set_payload(server_packet: Option<&Datagram>, client_dcid: &[u8], payload: &[
         decode_initial_header(&server_initial, Role::Server).unwrap();
 
     // Now decrypt the packet.
-    let (aead, hp) = initial_aead_and_hp(client_dcid, Role::Server);
+    let (aead, _, hp) = initial_aead_and_hp(client_dcid, Role::Server);
     let (mut header, pn) = header_protection::remove(&hp, protected_header, orig_payload);
     // Re-encode the packet number as four bytes, so we have enough material for the header
     // protection sample if payload is empty.
@@ -253,7 +254,7 @@ fn overflow_crypto() {
 
     // Now decrypt the server packet to get AEAD and HP instances.
     // We won't be using the packet, but making new ones.
-    let (aead, hp) = initial_aead_and_hp(&client_dcid, Role::Server);
+    let (aead, _, hp) = initial_aead_and_hp(&client_dcid, Role::Server);
     let (_, server_dcid, server_scid, _) =
         decode_initial_header(&server_initial, Role::Server).unwrap();
 
@@ -346,7 +347,7 @@ fn client_initial_packet_number() {
         let client_initial = client.process_output(now());
         let (protected_header, client_dcid, _, payload) =
             decode_initial_header(client_initial.as_dgram_ref().unwrap(), Role::Client).unwrap();
-        let (_, hp) = initial_aead_and_hp(client_dcid, Role::Client);
+        let (_, _, hp) = initial_aead_and_hp(client_dcid, Role::Client);
         let (_, pn) = header_protection::remove(&hp, protected_header, payload);
         assert!(
             randomize && pn > 0 || !randomize && pn == 0,
@@ -377,7 +378,7 @@ fn server_initial_packet_number() {
         let (_protected_header, client_dcid, _scid, _payload) =
             decode_initial_header(client_initial.as_ref().unwrap(), Role::Client).unwrap();
 
-        let (_, hp) = initial_aead_and_hp(client_dcid, Role::Server);
+        let (_, _, hp) = initial_aead_and_hp(client_dcid, Role::Server);
 
         let server_initial = server.process(client_initial, now()).dgram();
         let (protected_header, _dcid, _scid, payload) =

neqo-transport/tests/retry.rs

@@ -462,13 +462,13 @@ fn mitm_retry() {
         decode_initial_header(&client_initial2, Role::Client).unwrap();
 
     // Now we have enough information to make keys.
-    let (aead, hp) = initial_aead_and_hp(d_cid, Role::Client);
+    let (aead_enc, aead_dec, hp) = initial_aead_and_hp(d_cid, Role::Client);
     let (header, pn) = header_protection::remove(&hp, protected_header, payload);
     let pn_len = header.len() - protected_header.len();
 
     // Decrypt.
     let mut plaintext_buf = vec![0; client_initial2.len()];
-    let plaintext = aead
+    let plaintext = aead_dec
         .decrypt(pn, &header, &payload[pn_len..], &mut plaintext_buf)
         .unwrap();
 
@@ -489,13 +489,14 @@ fn mitm_retry() {
         .as_ref()
         .to_vec();
     notoken_packet.resize_with(MIN_INITIAL_PACKET_SIZE, u8::default);
-    aead.encrypt(
-        pn,
-        &notoken_header,
-        plaintext,
-        &mut notoken_packet[notoken_header.len()..],
-    )
-    .unwrap();
+    aead_enc
+        .encrypt(
+            pn,
+            &notoken_header,
+            plaintext,
+            &mut notoken_packet[notoken_header.len()..],
+        )
+        .unwrap();
     // Unlike with decryption, don't truncate.
     // All MIN_INITIAL_PACKET_SIZE bytes are needed to reach the minimum datagram size.
 
@@ -545,7 +546,7 @@ fn retry_short_dcid() {
     let short_dcid = &[0x01, 0x02, 0x03, 0x04];
 
     // Decrypt with the original DCID.
-    let (aead_orig, hp_orig) = initial_aead_and_hp(d_cid, Role::Client);
+    let (_, aead_orig, hp_orig) = initial_aead_and_hp(d_cid, Role::Client);
     let (header, pn) = header_protection::remove(&hp_orig, protected_header, payload);
     let pn_len = header.len() - protected_header.len();
 
@@ -565,7 +566,7 @@ fn retry_short_dcid() {
     let short_dcid_header = enc.encode_uint(pn_len, pn).as_ref().to_vec();
 
     // Encrypt with keys derived from short DCID.
-    let (aead_short, hp_short) = initial_aead_and_hp(short_dcid, Role::Client);
+    let (aead_short, _, hp_short) = initial_aead_and_hp(short_dcid, Role::Client);
     let mut short_dcid_packet = Encoder::with_capacity(MIN_INITIAL_PACKET_SIZE)
         .encode(&short_dcid_header)
         .as_ref()

neqo-transport/tests/server.rs

@@ -439,12 +439,12 @@ fn bad_client_initial() {
 
     let dgram = client.process_output(now()).dgram().expect("a datagram");
     let (header, d_cid, s_cid, payload) = decode_initial_header(&dgram, Role::Client).unwrap();
-    let (aead, hp) = initial_aead_and_hp(d_cid, Role::Client);
+    let (aead_enc, aead_dec, hp) = initial_aead_and_hp(d_cid, Role::Client);
     let (fixed_header, pn) = header_protection::remove(&hp, header, payload);
     let payload = &payload[(fixed_header.len() - header.len())..];
 
     let mut plaintext_buf = vec![0; dgram.len()];
-    let plaintext = aead
+    let plaintext = aead_dec
         .decrypt(pn, &fixed_header, payload, &mut plaintext_buf)
         .unwrap();
 
@@ -459,13 +459,16 @@ fn bad_client_initial() {
         .encode_vec(1, d_cid)
         .encode_vec(1, s_cid)
         .encode_vvec(&[])
-        .encode_varint(u64::try_from(payload_enc.len() + aead.expansion() + PN_LEN).unwrap())
+        .encode_varint(u64::try_from(payload_enc.len() + aead_enc.expansion() + PN_LEN).unwrap())
         .encode_byte(u8::try_from(pn >> 8).unwrap())
         .encode_byte(u8::try_from(pn & 0xff).unwrap());
 
     let mut ciphertext = header_enc.as_ref().to_vec();
-    ciphertext.resize(header_enc.len() + payload_enc.len() + aead.expansion(), 0);
-    let v = aead
+    ciphertext.resize(
+        header_enc.len() + payload_enc.len() + aead_enc.expansion(),
+        0,
+    );
+    let v = aead_enc
         .encrypt(
             pn,
             header_enc.as_ref(),
@@ -537,7 +540,7 @@ fn bad_client_initial_connection_close() {
 
     let dgram = client.process_output(now()).dgram().expect("a datagram");
     let (header, d_cid, s_cid, payload) = decode_initial_header(&dgram, Role::Client).unwrap();
-    let (aead, hp) = initial_aead_and_hp(d_cid, Role::Client);
+    let (aead, _, hp) = initial_aead_and_hp(d_cid, Role::Client);
     let (_, pn) = header_protection::remove(&hp, header, payload);
 
     let mut payload_enc = Encoder::with_capacity(MIN_INITIAL_PACKET_SIZE);

test-fixture/src/header_protection.rs

@@ -64,7 +64,7 @@ pub fn decode_initial_header(dgram: &Datagram, role: Role) -> Option<(&[u8], &[u
 /// Generate an AEAD and header protection object for a client Initial.
 /// Note that this works for QUIC version 1 only.
 #[must_use]
-pub fn initial_aead_and_hp(dcid: &[u8], role: Role) -> (Aead, hp::Key) {
+pub fn initial_aead_and_hp(dcid: &[u8], role: Role) -> (Aead, Aead, hp::Key) {
     const INITIAL_SALT: &[u8] = &[
         0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c,
         0xad, 0xcc, 0xbb, 0x7f, 0x0a,
@@ -92,15 +92,19 @@ pub fn initial_aead_and_hp(dcid: &[u8], role: Role) -> (Aead, hp::Key) {
         },
     )
     .unwrap();
-    (
+    let make = |mode| {
         Aead::new(
             TLS_VERSION_1_3,
             TLS_AES_128_GCM_SHA256,
             &secret,
             "quic ",
-            Mode::Encrypt,
+            mode,
         )
-        .unwrap(),
+        .unwrap()
+    };
+    (
+        make(Mode::Encrypt),
+        make(Mode::Decrypt),
         hp::Key::extract(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &secret, "quic hp").unwrap(),
     )
 }