/src/openssl32/ssl/quic/quic_wire_pkt.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/err.h> |
11 | | #include "internal/common.h" |
12 | | #include "internal/quic_wire_pkt.h" |
13 | | |
14 | | int ossl_quic_hdr_protector_init(QUIC_HDR_PROTECTOR *hpr, |
15 | | OSSL_LIB_CTX *libctx, |
16 | | const char *propq, |
17 | | uint32_t cipher_id, |
18 | | const unsigned char *quic_hp_key, |
19 | | size_t quic_hp_key_len) |
20 | 78.6k | { |
21 | 78.6k | const char *cipher_name = NULL; |
22 | | |
23 | 78.6k | switch (cipher_id) { |
24 | 46.6k | case QUIC_HDR_PROT_CIPHER_AES_128: |
25 | 46.6k | cipher_name = "AES-128-ECB"; |
26 | 46.6k | break; |
27 | 30.2k | case QUIC_HDR_PROT_CIPHER_AES_256: |
28 | 30.2k | cipher_name = "AES-256-ECB"; |
29 | 30.2k | break; |
30 | 1.72k | case QUIC_HDR_PROT_CIPHER_CHACHA: |
31 | 1.72k | cipher_name = "ChaCha20"; |
32 | 1.72k | break; |
33 | 0 | default: |
34 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_UNSUPPORTED); |
35 | 0 | return 0; |
36 | 78.6k | } |
37 | | |
38 | 78.6k | hpr->cipher_ctx = EVP_CIPHER_CTX_new(); |
39 | 78.6k | if (hpr->cipher_ctx == NULL) { |
40 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
41 | 0 | return 0; |
42 | 0 | } |
43 | | |
44 | 78.6k | hpr->cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq); |
45 | 78.6k | if (hpr->cipher == NULL |
46 | 78.6k | || quic_hp_key_len != (size_t)EVP_CIPHER_get_key_length(hpr->cipher)) { |
47 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
48 | 0 | goto err; |
49 | 0 | } |
50 | | |
51 | 78.6k | if (!EVP_CipherInit_ex(hpr->cipher_ctx, hpr->cipher, NULL, |
52 | 78.6k | quic_hp_key, NULL, 1)) { |
53 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
54 | 0 | goto err; |
55 | 0 | } |
56 | | |
57 | 78.6k | hpr->libctx = libctx; |
58 | 78.6k | hpr->propq = propq; |
59 | 78.6k | hpr->cipher_id = cipher_id; |
60 | 78.6k | return 1; |
61 | | |
62 | 0 | err: |
63 | 0 | ossl_quic_hdr_protector_cleanup(hpr); |
64 | 0 | return 0; |
65 | 78.6k | } |
66 | | |
67 | | void ossl_quic_hdr_protector_cleanup(QUIC_HDR_PROTECTOR *hpr) |
68 | 78.6k | { |
69 | 78.6k | EVP_CIPHER_CTX_free(hpr->cipher_ctx); |
70 | 78.6k | hpr->cipher_ctx = NULL; |
71 | | |
72 | 78.6k | EVP_CIPHER_free(hpr->cipher); |
73 | 78.6k | hpr->cipher = NULL; |
74 | 78.6k | } |
75 | | |
76 | | static int hdr_generate_mask(QUIC_HDR_PROTECTOR *hpr, |
77 | | const unsigned char *sample, size_t sample_len, |
78 | | unsigned char *mask) |
79 | 1.39M | { |
80 | 1.39M | int l = 0; |
81 | 1.39M | unsigned char dst[16]; |
82 | 1.39M | static const unsigned char zeroes[5] = {0}; |
83 | 1.39M | size_t i; |
84 | | |
85 | 1.39M | if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_128 |
86 | 1.39M | || hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_256) { |
87 | 1.35M | if (sample_len < 16) { |
88 | 1.70k | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
89 | 1.70k | return 0; |
90 | 1.70k | } |
91 | | |
92 | 1.35M | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, NULL, 1) |
93 | 1.35M | || !EVP_CipherUpdate(hpr->cipher_ctx, dst, &l, sample, 16)) { |
94 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
95 | 0 | return 0; |
96 | 0 | } |
97 | | |
98 | 8.10M | for (i = 0; i < 5; ++i) |
99 | 6.75M | mask[i] = dst[i]; |
100 | 1.35M | } else if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_CHACHA) { |
101 | 47.6k | if (sample_len < 16) { |
102 | 696 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
103 | 696 | return 0; |
104 | 696 | } |
105 | | |
106 | 46.9k | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, sample, 1) |
107 | 46.9k | || !EVP_CipherUpdate(hpr->cipher_ctx, mask, &l, |
108 | 46.9k | zeroes, sizeof(zeroes))) { |
109 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
110 | 0 | return 0; |
111 | 0 | } |
112 | 46.9k | } else { |
113 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
114 | 0 | assert(0); |
115 | 0 | return 0; |
116 | 0 | } |
117 | | |
118 | 1.39M | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
119 | | /* No matter what we did above we use the same mask in fuzzing mode */ |
120 | 1.39M | memset(mask, 0, 5); |
121 | 1.39M | #endif |
122 | | |
123 | 1.39M | return 1; |
124 | 1.39M | } |
125 | | |
126 | | int ossl_quic_hdr_protector_decrypt(QUIC_HDR_PROTECTOR *hpr, |
127 | | QUIC_PKT_HDR_PTRS *ptrs) |
128 | 578k | { |
129 | 578k | return ossl_quic_hdr_protector_decrypt_fields(hpr, |
130 | 578k | ptrs->raw_sample, |
131 | 578k | ptrs->raw_sample_len, |
132 | 578k | ptrs->raw_start, |
133 | 578k | ptrs->raw_pn); |
134 | 578k | } |
135 | | |
136 | | int ossl_quic_hdr_protector_decrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
137 | | const unsigned char *sample, |
138 | | size_t sample_len, |
139 | | unsigned char *first_byte, |
140 | | unsigned char *pn_bytes) |
141 | 578k | { |
142 | 578k | unsigned char mask[5], pn_len, i; |
143 | | |
144 | 578k | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
145 | 2.40k | return 0; |
146 | | |
147 | 576k | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
148 | 576k | pn_len = (*first_byte & 0x3) + 1; |
149 | | |
150 | 2.62M | for (i = 0; i < pn_len; ++i) |
151 | 2.05M | pn_bytes[i] ^= mask[i + 1]; |
152 | | |
153 | 576k | return 1; |
154 | 578k | } |
155 | | |
156 | | int ossl_quic_hdr_protector_encrypt(QUIC_HDR_PROTECTOR *hpr, |
157 | | QUIC_PKT_HDR_PTRS *ptrs) |
158 | 820k | { |
159 | 820k | return ossl_quic_hdr_protector_encrypt_fields(hpr, |
160 | 820k | ptrs->raw_sample, |
161 | 820k | ptrs->raw_sample_len, |
162 | 820k | ptrs->raw_start, |
163 | 820k | ptrs->raw_pn); |
164 | 820k | } |
165 | | |
166 | | int ossl_quic_hdr_protector_encrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
167 | | const unsigned char *sample, |
168 | | size_t sample_len, |
169 | | unsigned char *first_byte, |
170 | | unsigned char *pn_bytes) |
171 | 820k | { |
172 | 820k | unsigned char mask[5], pn_len, i; |
173 | | |
174 | 820k | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
175 | 0 | return 0; |
176 | | |
177 | 820k | pn_len = (*first_byte & 0x3) + 1; |
178 | 4.10M | for (i = 0; i < pn_len; ++i) |
179 | 3.28M | pn_bytes[i] ^= mask[i + 1]; |
180 | | |
181 | 820k | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
182 | 820k | return 1; |
183 | 820k | } |
184 | | |
185 | | int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt, |
186 | | size_t short_conn_id_len, |
187 | | int partial, |
188 | | int nodata, |
189 | | QUIC_PKT_HDR *hdr, |
190 | | QUIC_PKT_HDR_PTRS *ptrs) |
191 | 1.29M | { |
192 | 1.29M | unsigned int b0; |
193 | 1.29M | unsigned char *pn = NULL; |
194 | 1.29M | size_t l = PACKET_remaining(pkt); |
195 | | |
196 | 1.29M | if (ptrs != NULL) { |
197 | 1.00M | ptrs->raw_start = (unsigned char *)PACKET_data(pkt); |
198 | 1.00M | ptrs->raw_sample = NULL; |
199 | 1.00M | ptrs->raw_sample_len = 0; |
200 | 1.00M | ptrs->raw_pn = NULL; |
201 | 1.00M | } |
202 | | |
203 | 1.29M | if (l < QUIC_MIN_VALID_PKT_LEN |
204 | 1.29M | || !PACKET_get_1(pkt, &b0)) |
205 | 0 | return 0; |
206 | | |
207 | 1.29M | hdr->partial = partial; |
208 | 1.29M | hdr->unused = 0; |
209 | 1.29M | hdr->reserved = 0; |
210 | | |
211 | 1.29M | if ((b0 & 0x80) == 0) { |
212 | | /* Short header. */ |
213 | 138k | if (short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
214 | 0 | return 0; |
215 | | |
216 | 138k | if ((b0 & 0x40) == 0 /* fixed bit not set? */ |
217 | 138k | || l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
218 | 100k | return 0; |
219 | | |
220 | 38.5k | hdr->type = QUIC_PKT_TYPE_1RTT; |
221 | 38.5k | hdr->fixed = 1; |
222 | 38.5k | hdr->spin_bit = (b0 & 0x20) != 0; |
223 | 38.5k | if (partial) { |
224 | 21.0k | hdr->key_phase = 0; /* protected, zero for now */ |
225 | 21.0k | hdr->pn_len = 0; /* protected, zero for now */ |
226 | 21.0k | hdr->reserved = 0; /* protected, zero for now */ |
227 | 21.0k | } else { |
228 | 17.5k | hdr->key_phase = (b0 & 0x04) != 0; |
229 | 17.5k | hdr->pn_len = (b0 & 0x03) + 1; |
230 | 17.5k | hdr->reserved = (b0 & 0x18) >> 3; |
231 | 17.5k | } |
232 | | |
233 | | /* Copy destination connection ID field to header structure. */ |
234 | 38.5k | if (!PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, short_conn_id_len)) |
235 | 0 | return 0; |
236 | | |
237 | 38.5k | hdr->dst_conn_id.id_len = (unsigned char)short_conn_id_len; |
238 | | |
239 | | /* |
240 | | * Skip over the PN. If this is a partial decode, the PN length field |
241 | | * currently has header protection applied. Thus we do not know the |
242 | | * length of the PN but we are allowed to assume it is 4 bytes long at |
243 | | * this stage. |
244 | | */ |
245 | 38.5k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
246 | 38.5k | pn = (unsigned char *)PACKET_data(pkt); |
247 | 38.5k | if (partial) { |
248 | 21.0k | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
249 | 0 | return 0; |
250 | 21.0k | } else { |
251 | 17.5k | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
252 | 0 | return 0; |
253 | 17.5k | } |
254 | | |
255 | | /* Fields not used in short-header packets. */ |
256 | 38.5k | hdr->version = 0; |
257 | 38.5k | hdr->src_conn_id.id_len = 0; |
258 | 38.5k | hdr->token = NULL; |
259 | 38.5k | hdr->token_len = 0; |
260 | | |
261 | | /* |
262 | | * Short-header packets always come last in a datagram, the length |
263 | | * is the remainder of the buffer. |
264 | | */ |
265 | 38.5k | hdr->len = PACKET_remaining(pkt); |
266 | 38.5k | hdr->data = PACKET_data(pkt); |
267 | | |
268 | | /* |
269 | | * Skip over payload. Since this is a short header packet, which cannot |
270 | | * be followed by any other kind of packet, this advances us to the end |
271 | | * of the datagram. |
272 | | */ |
273 | 38.5k | if (!PACKET_forward(pkt, hdr->len)) |
274 | 0 | return 0; |
275 | 1.15M | } else { |
276 | | /* Long header. */ |
277 | 1.15M | unsigned long version; |
278 | 1.15M | unsigned int dst_conn_id_len, src_conn_id_len, raw_type; |
279 | | |
280 | 1.15M | if (!PACKET_get_net_4(pkt, &version)) |
281 | 0 | return 0; |
282 | | |
283 | | /* |
284 | | * All QUIC packets must have the fixed bit set, except exceptionally |
285 | | * for Version Negotiation packets. |
286 | | */ |
287 | 1.15M | if (version != 0 && (b0 & 0x40) == 0) |
288 | 2.54k | return 0; |
289 | | |
290 | 1.15M | if (!PACKET_get_1(pkt, &dst_conn_id_len) |
291 | 1.15M | || dst_conn_id_len > QUIC_MAX_CONN_ID_LEN |
292 | 1.15M | || !PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, dst_conn_id_len) |
293 | 1.15M | || !PACKET_get_1(pkt, &src_conn_id_len) |
294 | 1.15M | || src_conn_id_len > QUIC_MAX_CONN_ID_LEN |
295 | 1.15M | || !PACKET_copy_bytes(pkt, hdr->src_conn_id.id, src_conn_id_len)) |
296 | 16.5k | return 0; |
297 | | |
298 | 1.13M | hdr->version = (uint32_t)version; |
299 | 1.13M | hdr->dst_conn_id.id_len = (unsigned char)dst_conn_id_len; |
300 | 1.13M | hdr->src_conn_id.id_len = (unsigned char)src_conn_id_len; |
301 | | |
302 | 1.13M | if (version == 0) { |
303 | | /* |
304 | | * Version negotiation packet. Version negotiation packets are |
305 | | * identified by a version field of 0 and the type bits in the first |
306 | | * byte are ignored (they may take any value, and we ignore them). |
307 | | */ |
308 | 137k | hdr->type = QUIC_PKT_TYPE_VERSION_NEG; |
309 | 137k | hdr->fixed = (b0 & 0x40) != 0; |
310 | | |
311 | 137k | hdr->data = PACKET_data(pkt); |
312 | 137k | hdr->len = PACKET_remaining(pkt); |
313 | | |
314 | | /* |
315 | | * Version negotiation packets must contain an array of u32s, so it |
316 | | * is invalid for their payload length to not be divisible by 4. |
317 | | */ |
318 | 137k | if ((hdr->len % 4) != 0) |
319 | 2.39k | return 0; |
320 | | |
321 | | /* Version negotiation packets are always fully decoded. */ |
322 | 135k | hdr->partial = 0; |
323 | | |
324 | | /* Fields not used in version negotiation packets. */ |
325 | 135k | hdr->pn_len = 0; |
326 | 135k | hdr->spin_bit = 0; |
327 | 135k | hdr->key_phase = 0; |
328 | 135k | hdr->token = NULL; |
329 | 135k | hdr->token_len = 0; |
330 | 135k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
331 | | |
332 | 135k | if (!PACKET_forward(pkt, hdr->len)) |
333 | 0 | return 0; |
334 | 998k | } else if (version != QUIC_VERSION_1) { |
335 | | /* Unknown version, do not decode. */ |
336 | 25.6k | return 0; |
337 | 972k | } else { |
338 | 972k | if (l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
339 | 619 | return 0; |
340 | | |
341 | | /* Get long packet type and decode to QUIC_PKT_TYPE_*. */ |
342 | 971k | raw_type = ((b0 >> 4) & 0x3); |
343 | | |
344 | 971k | switch (raw_type) { |
345 | 549k | case 0: |
346 | 549k | hdr->type = QUIC_PKT_TYPE_INITIAL; |
347 | 549k | break; |
348 | 665 | case 1: |
349 | 665 | hdr->type = QUIC_PKT_TYPE_0RTT; |
350 | 665 | break; |
351 | 44.3k | case 2: |
352 | 44.3k | hdr->type = QUIC_PKT_TYPE_HANDSHAKE; |
353 | 44.3k | break; |
354 | 377k | case 3: |
355 | 377k | hdr->type = QUIC_PKT_TYPE_RETRY; |
356 | 377k | break; |
357 | 971k | } |
358 | | |
359 | 971k | hdr->pn_len = 0; |
360 | 971k | hdr->fixed = 1; |
361 | | |
362 | | /* Fields not used in long-header packets. */ |
363 | 971k | hdr->spin_bit = 0; |
364 | 971k | hdr->key_phase = 0; |
365 | | |
366 | 971k | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
367 | | /* Initial packet. */ |
368 | 549k | uint64_t token_len; |
369 | | |
370 | 549k | if (!PACKET_get_quic_vlint(pkt, &token_len) |
371 | 549k | || token_len > SIZE_MAX |
372 | 549k | || !PACKET_get_bytes(pkt, &hdr->token, (size_t)token_len)) |
373 | 816 | return 0; |
374 | | |
375 | 548k | hdr->token_len = (size_t)token_len; |
376 | 548k | if (token_len == 0) |
377 | 546k | hdr->token = NULL; |
378 | 548k | } else { |
379 | 422k | hdr->token = NULL; |
380 | 422k | hdr->token_len = 0; |
381 | 422k | } |
382 | | |
383 | 971k | if (hdr->type == QUIC_PKT_TYPE_RETRY) { |
384 | | /* Retry packet. */ |
385 | 377k | hdr->data = PACKET_data(pkt); |
386 | 377k | hdr->len = PACKET_remaining(pkt); |
387 | | |
388 | | /* Retry packets are always fully decoded. */ |
389 | 377k | hdr->partial = 0; |
390 | | |
391 | | /* Unused bits in Retry header. */ |
392 | 377k | hdr->unused = b0 & 0x0f; |
393 | | |
394 | | /* Fields not used in Retry packets. */ |
395 | 377k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
396 | | |
397 | 377k | if (!PACKET_forward(pkt, hdr->len)) |
398 | 0 | return 0; |
399 | 593k | } else { |
400 | | /* Initial, 0-RTT or Handshake packet. */ |
401 | 593k | uint64_t len; |
402 | | |
403 | 593k | hdr->pn_len = partial ? 0 : ((b0 & 0x03) + 1); |
404 | 593k | hdr->reserved = partial ? 0 : ((b0 & 0x0C) >> 2); |
405 | | |
406 | 593k | if (!PACKET_get_quic_vlint(pkt, &len) |
407 | 593k | || len < sizeof(hdr->pn)) |
408 | 3.01k | return 0; |
409 | | |
410 | 590k | if (!nodata && len > PACKET_remaining(pkt)) |
411 | 1.19k | return 0; |
412 | | |
413 | | /* |
414 | | * Skip over the PN. If this is a partial decode, the PN length |
415 | | * field currently has header protection applied. Thus we do not |
416 | | * know the length of the PN but we are allowed to assume it is |
417 | | * 4 bytes long at this stage. |
418 | | */ |
419 | 589k | pn = (unsigned char *)PACKET_data(pkt); |
420 | 589k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
421 | 589k | if (partial) { |
422 | 315k | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
423 | 0 | return 0; |
424 | | |
425 | 315k | hdr->len = (size_t)(len - sizeof(hdr->pn)); |
426 | 315k | } else { |
427 | 274k | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
428 | 0 | return 0; |
429 | | |
430 | 274k | hdr->len = (size_t)(len - hdr->pn_len); |
431 | 274k | } |
432 | | |
433 | 589k | if (nodata) { |
434 | 0 | hdr->data = NULL; |
435 | 589k | } else { |
436 | 589k | hdr->data = PACKET_data(pkt); |
437 | | |
438 | | /* Skip over packet body. */ |
439 | 589k | if (!PACKET_forward(pkt, hdr->len)) |
440 | 0 | return 0; |
441 | 589k | } |
442 | 589k | } |
443 | 971k | } |
444 | 1.13M | } |
445 | | |
446 | 1.14M | if (ptrs != NULL) { |
447 | 853k | ptrs->raw_pn = pn; |
448 | 853k | if (pn != NULL) { |
449 | 340k | ptrs->raw_sample = pn + 4; |
450 | 340k | ptrs->raw_sample_len = PACKET_end(pkt) - ptrs->raw_sample; |
451 | 340k | } |
452 | 853k | } |
453 | | |
454 | 1.14M | return 1; |
455 | 1.29M | } |
456 | | |
457 | | int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, |
458 | | size_t short_conn_id_len, |
459 | | const QUIC_PKT_HDR *hdr, |
460 | | QUIC_PKT_HDR_PTRS *ptrs) |
461 | 439k | { |
462 | 439k | unsigned char b0; |
463 | 439k | size_t off_start, off_sample, off_pn; |
464 | 439k | unsigned char *start = WPACKET_get_curr(pkt); |
465 | | |
466 | 439k | if (!WPACKET_get_total_written(pkt, &off_start)) |
467 | 0 | return 0; |
468 | | |
469 | 439k | if (ptrs != NULL) { |
470 | | /* ptrs would not be stable on non-static WPACKET */ |
471 | 412k | if (!ossl_assert(pkt->staticbuf != NULL)) |
472 | 0 | return 0; |
473 | 412k | ptrs->raw_start = NULL; |
474 | 412k | ptrs->raw_sample = NULL; |
475 | 412k | ptrs->raw_sample_len = 0; |
476 | 412k | ptrs->raw_pn = 0; |
477 | 412k | } |
478 | | |
479 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
480 | 439k | if (hdr->partial |
481 | 439k | || (hdr->type == QUIC_PKT_TYPE_1RTT |
482 | 439k | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
483 | 0 | return 0; |
484 | | |
485 | 439k | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
486 | | /* Short header. */ |
487 | | |
488 | | /* |
489 | | * Cannot serialize a header whose DCID length is wrong, or with an |
490 | | * invalid PN length. |
491 | | */ |
492 | 70.9k | if (hdr->dst_conn_id.id_len != short_conn_id_len |
493 | 70.9k | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
494 | 70.9k | || hdr->pn_len < 1 || hdr->pn_len > 4) |
495 | 0 | return 0; |
496 | | |
497 | 70.9k | b0 = (hdr->spin_bit << 5) |
498 | 70.9k | | (hdr->key_phase << 2) |
499 | 70.9k | | (hdr->pn_len - 1) |
500 | 70.9k | | (hdr->reserved << 3) |
501 | 70.9k | | 0x40; /* fixed bit */ |
502 | | |
503 | 70.9k | if (!WPACKET_put_bytes_u8(pkt, b0) |
504 | 70.9k | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, short_conn_id_len) |
505 | 70.9k | || !WPACKET_get_total_written(pkt, &off_pn) |
506 | 70.9k | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
507 | 0 | return 0; |
508 | 368k | } else { |
509 | | /* Long header. */ |
510 | 368k | unsigned int raw_type; |
511 | | |
512 | 368k | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
513 | 368k | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
514 | 0 | return 0; |
515 | | |
516 | 368k | if (ossl_quic_pkt_type_has_pn(hdr->type) |
517 | 368k | && (hdr->pn_len < 1 || hdr->pn_len > 4)) |
518 | 0 | return 0; |
519 | | |
520 | 368k | switch (hdr->type) { |
521 | 0 | case QUIC_PKT_TYPE_VERSION_NEG: |
522 | 0 | if (hdr->version != 0) |
523 | 0 | return 0; |
524 | | |
525 | | /* Version negotiation packets use zero for the type bits */ |
526 | 0 | raw_type = 0; |
527 | 0 | break; |
528 | | |
529 | 284k | case QUIC_PKT_TYPE_INITIAL: raw_type = 0; break; |
530 | 0 | case QUIC_PKT_TYPE_0RTT: raw_type = 1; break; |
531 | 57.3k | case QUIC_PKT_TYPE_HANDSHAKE: raw_type = 2; break; |
532 | 26.2k | case QUIC_PKT_TYPE_RETRY: raw_type = 3; break; |
533 | 0 | default: |
534 | 0 | return 0; |
535 | 368k | } |
536 | | |
537 | 368k | b0 = (raw_type << 4) | 0x80; /* long */ |
538 | 368k | if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG || hdr->fixed) |
539 | 368k | b0 |= 0x40; /* fixed */ |
540 | 368k | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
541 | 341k | b0 |= hdr->pn_len - 1; |
542 | 341k | b0 |= (hdr->reserved << 2); |
543 | 341k | } |
544 | 368k | if (hdr->type == QUIC_PKT_TYPE_RETRY) |
545 | 26.2k | b0 |= hdr->unused; |
546 | | |
547 | 368k | if (!WPACKET_put_bytes_u8(pkt, b0) |
548 | 368k | || !WPACKET_put_bytes_u32(pkt, hdr->version) |
549 | 368k | || !WPACKET_put_bytes_u8(pkt, hdr->dst_conn_id.id_len) |
550 | 368k | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, |
551 | 368k | hdr->dst_conn_id.id_len) |
552 | 368k | || !WPACKET_put_bytes_u8(pkt, hdr->src_conn_id.id_len) |
553 | 368k | || !WPACKET_memcpy(pkt, hdr->src_conn_id.id, |
554 | 368k | hdr->src_conn_id.id_len)) |
555 | 0 | return 0; |
556 | | |
557 | 368k | if (hdr->type == QUIC_PKT_TYPE_VERSION_NEG |
558 | 368k | || hdr->type == QUIC_PKT_TYPE_RETRY) { |
559 | 26.2k | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
560 | 0 | return 0; |
561 | | |
562 | 26.2k | return 1; |
563 | 26.2k | } |
564 | | |
565 | 341k | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
566 | 284k | if (!WPACKET_quic_write_vlint(pkt, hdr->token_len) |
567 | 284k | || !WPACKET_memcpy(pkt, hdr->token, hdr->token_len)) |
568 | 0 | return 0; |
569 | 284k | } |
570 | | |
571 | 341k | if (!WPACKET_quic_write_vlint(pkt, hdr->len + hdr->pn_len) |
572 | 341k | || !WPACKET_get_total_written(pkt, &off_pn) |
573 | 341k | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
574 | 0 | return 0; |
575 | 341k | } |
576 | | |
577 | 412k | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
578 | 0 | return 0; |
579 | | |
580 | 412k | off_sample = off_pn + 4; |
581 | | |
582 | 412k | if (ptrs != NULL) { |
583 | 412k | ptrs->raw_start = start; |
584 | 412k | ptrs->raw_sample = start + (off_sample - off_start); |
585 | 412k | ptrs->raw_sample_len |
586 | 412k | = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample; |
587 | 412k | ptrs->raw_pn = start + (off_pn - off_start); |
588 | 412k | } |
589 | | |
590 | 412k | return 1; |
591 | 412k | } |
592 | | |
593 | | int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, |
594 | | const QUIC_PKT_HDR *hdr) |
595 | 23.9M | { |
596 | 23.9M | size_t len = 0, enclen; |
597 | | |
598 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
599 | 23.9M | if (hdr->partial |
600 | 23.9M | || (hdr->type == QUIC_PKT_TYPE_1RTT |
601 | 23.9M | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
602 | 0 | return 0; |
603 | | |
604 | 23.9M | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
605 | | /* Short header. */ |
606 | | |
607 | | /* |
608 | | * Cannot serialize a header whose DCID length is wrong, or with an |
609 | | * invalid PN length. |
610 | | */ |
611 | 4.24M | if (hdr->dst_conn_id.id_len != short_conn_id_len |
612 | 4.24M | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
613 | 4.24M | || hdr->pn_len < 1 || hdr->pn_len > 4) |
614 | 0 | return 0; |
615 | | |
616 | 4.24M | return 1 + short_conn_id_len + hdr->pn_len; |
617 | 19.7M | } else { |
618 | | /* Long header. */ |
619 | 19.7M | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
620 | 19.7M | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
621 | 0 | return 0; |
622 | | |
623 | 19.7M | len += 1 /* Initial byte */ + 4 /* Version */ |
624 | 19.7M | + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */ |
625 | 19.7M | + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */ |
626 | 19.7M | ; |
627 | | |
628 | 19.7M | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
629 | 19.7M | if (hdr->pn_len < 1 || hdr->pn_len > 4) |
630 | 0 | return 0; |
631 | | |
632 | 19.7M | len += hdr->pn_len; |
633 | 19.7M | } |
634 | | |
635 | 19.7M | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
636 | 18.7M | enclen = ossl_quic_vlint_encode_len(hdr->token_len); |
637 | 18.7M | if (!enclen) |
638 | 0 | return 0; |
639 | | |
640 | 18.7M | len += enclen + hdr->token_len; |
641 | 18.7M | } |
642 | | |
643 | 19.7M | if (!ossl_quic_pkt_type_must_be_last(hdr->type)) { |
644 | 19.7M | enclen = ossl_quic_vlint_encode_len(hdr->len + hdr->pn_len); |
645 | 19.7M | if (!enclen) |
646 | 0 | return 0; |
647 | | |
648 | 19.7M | len += enclen; |
649 | 19.7M | } |
650 | | |
651 | 19.7M | return len; |
652 | 19.7M | } |
653 | 23.9M | } |
654 | | |
655 | | int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, |
656 | | size_t buf_len, |
657 | | size_t short_conn_id_len, |
658 | | QUIC_CONN_ID *dst_conn_id) |
659 | 5.19M | { |
660 | 5.19M | unsigned char b0; |
661 | 5.19M | size_t blen; |
662 | | |
663 | 5.19M | if (buf_len < QUIC_MIN_VALID_PKT_LEN |
664 | 5.19M | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
665 | 2.75M | return 0; |
666 | | |
667 | 2.44M | b0 = buf[0]; |
668 | 2.44M | if ((b0 & 0x80) != 0) { |
669 | | /* |
670 | | * Long header. We need 6 bytes (initial byte, 4 version bytes, DCID |
671 | | * length byte to begin with). This is covered by the buf_len test |
672 | | * above. |
673 | | */ |
674 | | |
675 | | /* |
676 | | * If the version field is non-zero (meaning that this is not a Version |
677 | | * Negotiation packet), the fixed bit must be set. |
678 | | */ |
679 | 2.24M | if ((buf[1] || buf[2] || buf[3] || buf[4]) && (b0 & 0x40) == 0) |
680 | 1.99k | return 0; |
681 | | |
682 | 2.24M | blen = (size_t)buf[5]; /* DCID Length */ |
683 | 2.24M | if (blen > QUIC_MAX_CONN_ID_LEN |
684 | 2.24M | || buf_len < QUIC_MIN_VALID_PKT_LEN + blen) |
685 | 326k | return 0; |
686 | | |
687 | 1.91M | dst_conn_id->id_len = (unsigned char)blen; |
688 | 1.91M | memcpy(dst_conn_id->id, buf + 6, blen); |
689 | 1.91M | return 1; |
690 | 2.24M | } else { |
691 | | /* Short header. */ |
692 | 197k | if ((b0 & 0x40) == 0) |
693 | | /* Fixed bit not set, not a valid QUIC packet header. */ |
694 | 156k | return 0; |
695 | | |
696 | 40.7k | if (buf_len < QUIC_MIN_VALID_PKT_LEN_CRYPTO + short_conn_id_len) |
697 | 337 | return 0; |
698 | | |
699 | 40.4k | dst_conn_id->id_len = (unsigned char)short_conn_id_len; |
700 | 40.4k | memcpy(dst_conn_id->id, buf + 1, short_conn_id_len); |
701 | 40.4k | return 1; |
702 | 40.7k | } |
703 | 2.44M | } |
704 | | |
705 | | int ossl_quic_wire_decode_pkt_hdr_pn(const unsigned char *enc_pn, |
706 | | size_t enc_pn_len, |
707 | | QUIC_PN largest_pn, |
708 | | QUIC_PN *res_pn) |
709 | 576k | { |
710 | 576k | int64_t expected_pn, truncated_pn, candidate_pn, pn_win, pn_hwin, pn_mask; |
711 | | |
712 | 576k | switch (enc_pn_len) { |
713 | 26.1k | case 1: |
714 | 26.1k | truncated_pn = enc_pn[0]; |
715 | 26.1k | break; |
716 | 1.61k | case 2: |
717 | 1.61k | truncated_pn = ((QUIC_PN)enc_pn[0] << 8) |
718 | 1.61k | | (QUIC_PN)enc_pn[1]; |
719 | 1.61k | break; |
720 | 172k | case 3: |
721 | 172k | truncated_pn = ((QUIC_PN)enc_pn[0] << 16) |
722 | 172k | | ((QUIC_PN)enc_pn[1] << 8) |
723 | 172k | | (QUIC_PN)enc_pn[2]; |
724 | 172k | break; |
725 | 375k | case 4: |
726 | 375k | truncated_pn = ((QUIC_PN)enc_pn[0] << 24) |
727 | 375k | | ((QUIC_PN)enc_pn[1] << 16) |
728 | 375k | | ((QUIC_PN)enc_pn[2] << 8) |
729 | 375k | | (QUIC_PN)enc_pn[3]; |
730 | 375k | break; |
731 | 0 | default: |
732 | 0 | return 0; |
733 | 576k | } |
734 | | |
735 | | /* Implemented as per RFC 9000 Section A.3. */ |
736 | 576k | expected_pn = largest_pn + 1; |
737 | 576k | pn_win = ((int64_t)1) << (enc_pn_len * 8); |
738 | 576k | pn_hwin = pn_win / 2; |
739 | 576k | pn_mask = pn_win - 1; |
740 | 576k | candidate_pn = (expected_pn & ~pn_mask) | truncated_pn; |
741 | 576k | if (candidate_pn <= expected_pn - pn_hwin |
742 | 576k | && candidate_pn < (((int64_t)1) << 62) - pn_win) |
743 | 84.7k | *res_pn = candidate_pn + pn_win; |
744 | 491k | else if (candidate_pn > expected_pn + pn_hwin |
745 | 491k | && candidate_pn >= pn_win) |
746 | 25.9k | *res_pn = candidate_pn - pn_win; |
747 | 465k | else |
748 | 465k | *res_pn = candidate_pn; |
749 | 576k | return 1; |
750 | 576k | } |
751 | | |
752 | | /* From RFC 9000 Section A.2. Simplified implementation. */ |
753 | | int ossl_quic_wire_determine_pn_len(QUIC_PN pn, |
754 | | QUIC_PN largest_acked) |
755 | 0 | { |
756 | 0 | uint64_t num_unacked |
757 | 0 | = (largest_acked == QUIC_PN_INVALID) ? pn + 1 : pn - largest_acked; |
758 | | |
759 | | /* |
760 | | * num_unacked \in [ 0, 2** 7] -> 1 byte |
761 | | * num_unacked \in (2** 7, 2**15] -> 2 bytes |
762 | | * num_unacked \in (2**15, 2**23] -> 3 bytes |
763 | | * num_unacked \in (2**23, ] -> 4 bytes |
764 | | */ |
765 | |
|
766 | 0 | if (num_unacked <= (1U<<7)) return 1; |
767 | 0 | if (num_unacked <= (1U<<15)) return 2; |
768 | 0 | if (num_unacked <= (1U<<23)) return 3; |
769 | 0 | return 4; |
770 | 0 | } |
771 | | |
772 | | int ossl_quic_wire_encode_pkt_hdr_pn(QUIC_PN pn, |
773 | | unsigned char *enc_pn, |
774 | | size_t enc_pn_len) |
775 | 820k | { |
776 | 820k | switch (enc_pn_len) { |
777 | 0 | case 1: |
778 | 0 | enc_pn[0] = (unsigned char)pn; |
779 | 0 | break; |
780 | 0 | case 2: |
781 | 0 | enc_pn[1] = (unsigned char)pn; |
782 | 0 | enc_pn[0] = (unsigned char)(pn >> 8); |
783 | 0 | break; |
784 | 0 | case 3: |
785 | 0 | enc_pn[2] = (unsigned char)pn; |
786 | 0 | enc_pn[1] = (unsigned char)(pn >> 8); |
787 | 0 | enc_pn[0] = (unsigned char)(pn >> 16); |
788 | 0 | break; |
789 | 820k | case 4: |
790 | 820k | enc_pn[3] = (unsigned char)pn; |
791 | 820k | enc_pn[2] = (unsigned char)(pn >> 8); |
792 | 820k | enc_pn[1] = (unsigned char)(pn >> 16); |
793 | 820k | enc_pn[0] = (unsigned char)(pn >> 24); |
794 | 820k | break; |
795 | 0 | default: |
796 | 0 | return 0; |
797 | 820k | } |
798 | | |
799 | 820k | return 1; |
800 | 820k | } |
801 | | |
802 | | int ossl_quic_validate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
803 | | const char *propq, |
804 | | const QUIC_PKT_HDR *hdr, |
805 | | const QUIC_CONN_ID *client_initial_dcid) |
806 | 102k | { |
807 | 102k | unsigned char expected_tag[QUIC_RETRY_INTEGRITY_TAG_LEN]; |
808 | 102k | const unsigned char *actual_tag; |
809 | | |
810 | 102k | if (hdr == NULL || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN) |
811 | 0 | return 0; |
812 | | |
813 | 102k | if (!ossl_quic_calculate_retry_integrity_tag(libctx, propq, |
814 | 102k | hdr, client_initial_dcid, |
815 | 102k | expected_tag)) |
816 | 0 | return 0; |
817 | | |
818 | 102k | actual_tag = hdr->data + hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN; |
819 | | |
820 | 102k | return !CRYPTO_memcmp(expected_tag, actual_tag, |
821 | 102k | QUIC_RETRY_INTEGRITY_TAG_LEN); |
822 | 102k | } |
823 | | |
824 | | /* RFC 9001 s. 5.8 */ |
825 | | static const unsigned char retry_integrity_key[] = { |
826 | | 0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, |
827 | | 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e |
828 | | }; |
829 | | |
830 | | static const unsigned char retry_integrity_nonce[] = { |
831 | | 0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, |
832 | | 0x23, 0x98, 0x25, 0xbb |
833 | | }; |
834 | | |
835 | | int ossl_quic_calculate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
836 | | const char *propq, |
837 | | const QUIC_PKT_HDR *hdr, |
838 | | const QUIC_CONN_ID *client_initial_dcid, |
839 | | unsigned char *tag) |
840 | 102k | { |
841 | 102k | EVP_CIPHER *cipher = NULL; |
842 | 102k | EVP_CIPHER_CTX *cctx = NULL; |
843 | 102k | int ok = 0, l = 0, l2 = 0, wpkt_valid = 0; |
844 | 102k | WPACKET wpkt; |
845 | | /* Worst case length of the Retry Psuedo-Packet header is 68 bytes. */ |
846 | 102k | unsigned char buf[128]; |
847 | 102k | QUIC_PKT_HDR hdr2; |
848 | 102k | size_t hdr_enc_len = 0; |
849 | | |
850 | 102k | if (hdr->type != QUIC_PKT_TYPE_RETRY || hdr->version == 0 |
851 | 102k | || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN |
852 | 102k | || hdr->data == NULL |
853 | 102k | || client_initial_dcid == NULL || tag == NULL |
854 | 102k | || client_initial_dcid->id_len > QUIC_MAX_CONN_ID_LEN) { |
855 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
856 | 0 | goto err; |
857 | 0 | } |
858 | | |
859 | | /* |
860 | | * Do not reserve packet body in WPACKET. Retry packet header |
861 | | * does not contain a Length field so this does not affect |
862 | | * the serialized packet header. |
863 | | */ |
864 | 102k | hdr2 = *hdr; |
865 | 102k | hdr2.len = 0; |
866 | | |
867 | | /* Assemble retry psuedo-packet. */ |
868 | 102k | if (!WPACKET_init_static_len(&wpkt, buf, sizeof(buf), 0)) { |
869 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
870 | 0 | goto err; |
871 | 0 | } |
872 | | |
873 | 102k | wpkt_valid = 1; |
874 | | |
875 | | /* Prepend original DCID to the packet. */ |
876 | 102k | if (!WPACKET_put_bytes_u8(&wpkt, client_initial_dcid->id_len) |
877 | 102k | || !WPACKET_memcpy(&wpkt, client_initial_dcid->id, |
878 | 102k | client_initial_dcid->id_len)) { |
879 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
880 | 0 | goto err; |
881 | 0 | } |
882 | | |
883 | | /* Encode main retry header. */ |
884 | 102k | if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, hdr2.dst_conn_id.id_len, |
885 | 102k | &hdr2, NULL)) |
886 | 0 | goto err; |
887 | | |
888 | 102k | if (!WPACKET_get_total_written(&wpkt, &hdr_enc_len)) { |
889 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
890 | 0 | goto err; |
891 | 0 | } |
892 | | |
893 | | /* Create and initialise cipher context. */ |
894 | | /* TODO(QUIC FUTURE): Cipher fetch caching. */ |
895 | 102k | if ((cipher = EVP_CIPHER_fetch(libctx, "AES-128-GCM", propq)) == NULL) { |
896 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
897 | 0 | goto err; |
898 | 0 | } |
899 | | |
900 | 102k | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
901 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
902 | 0 | goto err; |
903 | 0 | } |
904 | | |
905 | 102k | if (!EVP_CipherInit_ex(cctx, cipher, NULL, |
906 | 102k | retry_integrity_key, retry_integrity_nonce, /*enc=*/1)) { |
907 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
908 | 0 | goto err; |
909 | 0 | } |
910 | | |
911 | | /* Feed packet header as AAD data. */ |
912 | 102k | if (EVP_CipherUpdate(cctx, NULL, &l, buf, hdr_enc_len) != 1) { |
913 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
914 | 0 | goto err; |
915 | 0 | } |
916 | | |
917 | | /* Feed packet body as AAD data. */ |
918 | 102k | if (EVP_CipherUpdate(cctx, NULL, &l, hdr->data, |
919 | 102k | hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN) != 1) { |
920 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
921 | 0 | goto err; |
922 | 0 | } |
923 | | |
924 | | /* Finalise and get tag. */ |
925 | 102k | if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { |
926 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
927 | 0 | goto err; |
928 | 0 | } |
929 | | |
930 | 102k | if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, |
931 | 102k | QUIC_RETRY_INTEGRITY_TAG_LEN, |
932 | 102k | tag) != 1) { |
933 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
934 | 0 | goto err; |
935 | 0 | } |
936 | | |
937 | 102k | ok = 1; |
938 | 102k | err: |
939 | 102k | EVP_CIPHER_free(cipher); |
940 | 102k | EVP_CIPHER_CTX_free(cctx); |
941 | 102k | if (wpkt_valid) |
942 | 102k | WPACKET_finish(&wpkt); |
943 | | |
944 | 102k | return ok; |
945 | 102k | } |