From 3f7862a0a985ed28d4d9f87f05c79be02b6e75aa Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 25 May 2026 18:31:02 +0200 Subject: [PATCH] MEDIUM: quic: use ha_random64_pair_hashed() to generate the QUIC retry tokens The QUIC retry tokens used to directly return ha_random64(), making the next tokens easily predictable on low-load systems before the XXH64 call. Let's now switch to the faster and safer ha_random64_pair_hashed() instead. --- src/quic_token.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/src/quic_token.c b/src/quic_token.c index 5200225ef..2ac5458af 100644 --- a/src/quic_token.c +++ b/src/quic_token.c @@ -24,8 +24,10 @@ int quic_generate_token(unsigned char *token, size_t len, unsigned char aad[sizeof(struct in6_addr)]; size_t aadlen; uint32_t ts = (uint32_t)date.tv_sec; - uint64_t rand_u64; - unsigned char rand[QUIC_TOKEN_RAND_DLEN]; + union { + uint64_t u64[2]; + uchar u8[QUIC_TOKEN_RAND_DLEN]; + } rand; unsigned char key[16]; unsigned char iv[QUIC_TLS_IV_LEN]; const unsigned char *sec = global.cluster_secret; @@ -35,10 +37,7 @@ int quic_generate_token(unsigned char *token, size_t len, TRACE_ENTER(QUIC_EV_CONN_TXPKT); /* Generate random data to be used as salt to derive the token secret. */ - rand_u64 = ha_random64(); - write_u64(rand, rand_u64); - rand_u64 = ha_random64(); - write_u64(rand + sizeof(rand_u64), rand_u64); + ha_random64_pair_hashed(&rand.u64[0], &rand.u64[1]); if (len < QUIC_TOKEN_LEN) { TRACE_ERROR("too small buffer", QUIC_EV_CONN_TXPKT); @@ -48,7 +47,7 @@ int quic_generate_token(unsigned char *token, size_t len, /* Generate the AAD. */ aadlen = ipaddrcpy(aad, addr); if (!quic_tls_derive_token_secret(EVP_sha256(), key, sizeof key, - iv, sizeof iv, rand, sizeof(rand), + iv, sizeof iv, rand.u8, sizeof(rand.u8), sec, seclen)) { TRACE_ERROR("quic_tls_derive_token_secret() failed", QUIC_EV_CONN_TXPKT); goto err; @@ -71,8 +70,8 @@ int quic_generate_token(unsigned char *token, size_t len, } p += QUIC_TLS_TAG_LEN; - memcpy(p, rand, sizeof(rand)); - p += sizeof(rand); + memcpy(p, rand.u8, sizeof(rand.u8)); + p += sizeof(rand.u8); ret = p - token; leave: