]> git.kaiwu.me - haproxy.git/commitdiff
projects / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2be6744)
BUG/MINOR: ssl: Use the sequence number with kTLS and TLS 1.2
authorOlivier Houchard <ohouchard@haproxy.com>
Wed, 6 May 2026 16:32:51 +0000 (18:32 +0200)
committerWilliam Lallemand <wlallemand@irq6.net>
Wed, 6 May 2026 19:37:18 +0000 (21:37 +0200)
When using TLS 1.2 and kTLS, use the sequence number as the explicit
nonce (what the linux kTLS API calls "iv"), as is strongly recommanded,
and done by most TLS implementations, instead of trying to generate a
pseudo random-number.
In practice, it changes nothing, because the kernel would override that
with the sequence number anyway, but there is no need to have confusing
code that uses statistical_prng_range() anyway.

This should be backported to 3.3.

src/ssl_sock.c patch | blob | history

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bcc57e280ba784270c5b54828b0c3409f5271b14..1fd2681cf905310d06ecdf86ccf8f8f093c6f129 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6665,9 +6665,7 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx)
        info.info.cipher_type = known_ciphers[i].tls_cipher;
 
        if (is_tls_12) {
-               unsigned char iv[iv_size];
                int block_key_size = 2 * key_size + 2 * salt_size;
-               int i;
 
                /*
                 * We may have to increase buf size if new ciphers are
@@ -6699,10 +6697,9 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx)
                 */
                seq = SSL_get_read_sequence(ssl);
                seq = my_htonll(seq);
-               for (i = 0; i < iv_size; i++)
-                       iv[i] = (unsigned char)statistical_prng_range(256);
-               /* IV */
-               memcpy(&info.buf[0], &iv, iv_size);
+
+               /* Use the sequence number as the explicit nonce */
+               memcpy(&info.buf[0], &seq, iv_size);
 
                if (!conn_is_back(ctx->conn)) {
                        /* Key */
@@ -6726,9 +6723,8 @@ static void ssl_sock_setup_ktls(struct ssl_sock_ctx *ctx)
                 */
                seq = SSL_get_write_sequence(ssl);
                seq = my_htonll(seq);
-               for (i = 0; i < iv_size; i++)
-                       iv[i] = (unsigned char)statistical_prng_range(256);
-               memcpy(&info.buf[0], &iv, iv_size);
+               /* Use the sequence number as the explicit nonce */
+               memcpy(&info.buf[0], &seq, iv_size);
                if (!conn_is_back(ctx->conn)) {
                        /* Key */
                        memcpy(&info.buf[iv_size], &buf[key_size], key_size);
haproxy upstream