/src/openssl33/ssl/quic/quic_wire_pkt.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/err.h> |
11 | | #include "internal/common.h" |
12 | | #include "internal/quic_wire_pkt.h" |
13 | | |
14 | | int ossl_quic_hdr_protector_init(QUIC_HDR_PROTECTOR *hpr, |
15 | | OSSL_LIB_CTX *libctx, |
16 | | const char *propq, |
17 | | uint32_t cipher_id, |
18 | | const unsigned char *quic_hp_key, |
19 | | size_t quic_hp_key_len) |
20 | 176k | { |
21 | 176k | const char *cipher_name = NULL; |
22 | | |
23 | 176k | switch (cipher_id) { |
24 | 104k | case QUIC_HDR_PROT_CIPHER_AES_128: |
25 | 104k | cipher_name = "AES-128-ECB"; |
26 | 104k | break; |
27 | 67.6k | case QUIC_HDR_PROT_CIPHER_AES_256: |
28 | 67.6k | cipher_name = "AES-256-ECB"; |
29 | 67.6k | break; |
30 | 3.92k | case QUIC_HDR_PROT_CIPHER_CHACHA: |
31 | 3.92k | cipher_name = "ChaCha20"; |
32 | 3.92k | break; |
33 | 0 | default: |
34 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_UNSUPPORTED); |
35 | 0 | return 0; |
36 | 176k | } |
37 | | |
38 | 176k | hpr->cipher_ctx = EVP_CIPHER_CTX_new(); |
39 | 176k | if (hpr->cipher_ctx == NULL) { |
40 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
41 | 0 | return 0; |
42 | 0 | } |
43 | | |
44 | 176k | hpr->cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq); |
45 | 176k | if (hpr->cipher == NULL |
46 | 176k | || quic_hp_key_len != (size_t)EVP_CIPHER_get_key_length(hpr->cipher)) { |
47 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
48 | 0 | goto err; |
49 | 0 | } |
50 | | |
51 | 176k | if (!EVP_CipherInit_ex(hpr->cipher_ctx, hpr->cipher, NULL, |
52 | 176k | quic_hp_key, NULL, 1)) { |
53 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
54 | 0 | goto err; |
55 | 0 | } |
56 | | |
57 | 176k | hpr->libctx = libctx; |
58 | 176k | hpr->propq = propq; |
59 | 176k | hpr->cipher_id = cipher_id; |
60 | 176k | return 1; |
61 | | |
62 | 0 | err: |
63 | 0 | ossl_quic_hdr_protector_cleanup(hpr); |
64 | 0 | return 0; |
65 | 176k | } |
66 | | |
67 | | void ossl_quic_hdr_protector_cleanup(QUIC_HDR_PROTECTOR *hpr) |
68 | 176k | { |
69 | 176k | EVP_CIPHER_CTX_free(hpr->cipher_ctx); |
70 | 176k | hpr->cipher_ctx = NULL; |
71 | | |
72 | 176k | EVP_CIPHER_free(hpr->cipher); |
73 | 176k | hpr->cipher = NULL; |
74 | 176k | } |
75 | | |
76 | | static int hdr_generate_mask(QUIC_HDR_PROTECTOR *hpr, |
77 | | const unsigned char *sample, size_t sample_len, |
78 | | unsigned char *mask) |
79 | 3.27M | { |
80 | 3.27M | int l = 0; |
81 | 3.27M | unsigned char dst[16]; |
82 | 3.27M | static const unsigned char zeroes[5] = { 0 }; |
83 | 3.27M | size_t i; |
84 | | |
85 | 3.27M | if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_128 |
86 | 3.17M | || hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_256) { |
87 | 3.17M | if (sample_len < 16) { |
88 | 3.19k | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
89 | 3.19k | return 0; |
90 | 3.19k | } |
91 | | |
92 | 3.16M | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, NULL, 1) |
93 | 3.16M | || !EVP_CipherUpdate(hpr->cipher_ctx, dst, &l, sample, 16)) { |
94 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
95 | 0 | return 0; |
96 | 0 | } |
97 | | |
98 | 19.0M | for (i = 0; i < 5; ++i) |
99 | 15.8M | mask[i] = dst[i]; |
100 | 3.16M | } else if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_CHACHA) { |
101 | 104k | if (sample_len < 16) { |
102 | 2.64k | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
103 | 2.64k | return 0; |
104 | 2.64k | } |
105 | | |
106 | 101k | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, sample, 1) |
107 | 101k | || !EVP_CipherUpdate(hpr->cipher_ctx, mask, &l, |
108 | 101k | zeroes, sizeof(zeroes))) { |
109 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
110 | 0 | return 0; |
111 | 0 | } |
112 | 101k | } else { |
113 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
114 | 0 | assert(0); |
115 | 0 | return 0; |
116 | 0 | } |
117 | | |
118 | 3.26M | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
119 | | /* No matter what we did above we use the same mask in fuzzing mode */ |
120 | 3.26M | memset(mask, 0, 5); |
121 | 3.26M | #endif |
122 | | |
123 | 3.26M | return 1; |
124 | 3.27M | } |
125 | | |
126 | | int ossl_quic_hdr_protector_decrypt(QUIC_HDR_PROTECTOR *hpr, |
127 | | QUIC_PKT_HDR_PTRS *ptrs) |
128 | 1.20M | { |
129 | 1.20M | return ossl_quic_hdr_protector_decrypt_fields(hpr, |
130 | 1.20M | ptrs->raw_sample, |
131 | 1.20M | ptrs->raw_sample_len, |
132 | 1.20M | ptrs->raw_start, |
133 | 1.20M | ptrs->raw_pn); |
134 | 1.20M | } |
135 | | |
136 | | int ossl_quic_hdr_protector_decrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
137 | | const unsigned char *sample, |
138 | | size_t sample_len, |
139 | | unsigned char *first_byte, |
140 | | unsigned char *pn_bytes) |
141 | 1.20M | { |
142 | 1.20M | unsigned char mask[5], pn_len, i; |
143 | | |
144 | 1.20M | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
145 | 5.83k | return 0; |
146 | | |
147 | 1.19M | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
148 | 1.19M | pn_len = (*first_byte & 0x3) + 1; |
149 | | |
150 | 5.45M | for (i = 0; i < pn_len; ++i) |
151 | 4.25M | pn_bytes[i] ^= mask[i + 1]; |
152 | | |
153 | 1.19M | return 1; |
154 | 1.20M | } |
155 | | |
156 | | int ossl_quic_hdr_protector_encrypt(QUIC_HDR_PROTECTOR *hpr, |
157 | | QUIC_PKT_HDR_PTRS *ptrs) |
158 | 2.07M | { |
159 | 2.07M | return ossl_quic_hdr_protector_encrypt_fields(hpr, |
160 | 2.07M | ptrs->raw_sample, |
161 | 2.07M | ptrs->raw_sample_len, |
162 | 2.07M | ptrs->raw_start, |
163 | 2.07M | ptrs->raw_pn); |
164 | 2.07M | } |
165 | | |
166 | | int ossl_quic_hdr_protector_encrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
167 | | const unsigned char *sample, |
168 | | size_t sample_len, |
169 | | unsigned char *first_byte, |
170 | | unsigned char *pn_bytes) |
171 | 2.07M | { |
172 | 2.07M | unsigned char mask[5], pn_len, i; |
173 | | |
174 | 2.07M | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
175 | 0 | return 0; |
176 | | |
177 | 2.07M | pn_len = (*first_byte & 0x3) + 1; |
178 | 10.3M | for (i = 0; i < pn_len; ++i) |
179 | 8.29M | pn_bytes[i] ^= mask[i + 1]; |
180 | | |
181 | 2.07M | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
182 | 2.07M | return 1; |
183 | 2.07M | } |
184 | | |
185 | | int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt, |
186 | | size_t short_conn_id_len, |
187 | | int partial, |
188 | | int nodata, |
189 | | QUIC_PKT_HDR *hdr, |
190 | | QUIC_PKT_HDR_PTRS *ptrs) |
191 | 2.65M | { |
192 | 2.65M | unsigned int b0; |
193 | 2.65M | unsigned char *pn = NULL; |
194 | 2.65M | size_t l = PACKET_remaining(pkt); |
195 | | |
196 | 2.65M | if (ptrs != NULL) { |
197 | 2.11M | ptrs->raw_start = (unsigned char *)PACKET_data(pkt); |
198 | 2.11M | ptrs->raw_sample = NULL; |
199 | 2.11M | ptrs->raw_sample_len = 0; |
200 | 2.11M | ptrs->raw_pn = NULL; |
201 | 2.11M | } |
202 | | |
203 | 2.65M | if (l < QUIC_MIN_VALID_PKT_LEN |
204 | 2.65M | || !PACKET_get_1(pkt, &b0)) |
205 | 0 | return 0; |
206 | | |
207 | 2.65M | hdr->partial = partial; |
208 | 2.65M | hdr->unused = 0; |
209 | 2.65M | hdr->reserved = 0; |
210 | | |
211 | 2.65M | if ((b0 & 0x80) == 0) { |
212 | | /* Short header. */ |
213 | 206k | if (short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
214 | 0 | return 0; |
215 | | |
216 | 206k | if ((b0 & 0x40) == 0 /* fixed bit not set? */ |
217 | 93.5k | || l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
218 | 124k | return 0; |
219 | | |
220 | 81.6k | hdr->type = QUIC_PKT_TYPE_1RTT; |
221 | 81.6k | hdr->fixed = 1; |
222 | 81.6k | hdr->spin_bit = (b0 & 0x20) != 0; |
223 | 81.6k | if (partial) { |
224 | 44.8k | hdr->key_phase = 0; /* protected, zero for now */ |
225 | 44.8k | hdr->pn_len = 0; /* protected, zero for now */ |
226 | 44.8k | hdr->reserved = 0; /* protected, zero for now */ |
227 | 44.8k | } else { |
228 | 36.8k | hdr->key_phase = (b0 & 0x04) != 0; |
229 | 36.8k | hdr->pn_len = (b0 & 0x03) + 1; |
230 | 36.8k | hdr->reserved = (b0 & 0x18) >> 3; |
231 | 36.8k | } |
232 | | |
233 | | /* Copy destination connection ID field to header structure. */ |
234 | 81.6k | if (!PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, short_conn_id_len)) |
235 | 0 | return 0; |
236 | | |
237 | 81.6k | hdr->dst_conn_id.id_len = (unsigned char)short_conn_id_len; |
238 | | |
239 | | /* |
240 | | * Skip over the PN. If this is a partial decode, the PN length field |
241 | | * currently has header protection applied. Thus we do not know the |
242 | | * length of the PN but we are allowed to assume it is 4 bytes long at |
243 | | * this stage. |
244 | | */ |
245 | 81.6k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
246 | 81.6k | pn = (unsigned char *)PACKET_data(pkt); |
247 | 81.6k | if (partial) { |
248 | 44.8k | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
249 | 0 | return 0; |
250 | 44.8k | } else { |
251 | 36.8k | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
252 | 0 | return 0; |
253 | 36.8k | } |
254 | | |
255 | | /* Fields not used in short-header packets. */ |
256 | 81.6k | hdr->version = 0; |
257 | 81.6k | hdr->src_conn_id.id_len = 0; |
258 | 81.6k | hdr->token = NULL; |
259 | 81.6k | hdr->token_len = 0; |
260 | | |
261 | | /* |
262 | | * Short-header packets always come last in a datagram, the length |
263 | | * is the remainder of the buffer. |
264 | | */ |
265 | 81.6k | hdr->len = PACKET_remaining(pkt); |
266 | 81.6k | hdr->data = PACKET_data(pkt); |
267 | | |
268 | | /* |
269 | | * Skip over payload. Since this is a short header packet, which cannot |
270 | | * be followed by any other kind of packet, this advances us to the end |
271 | | * of the datagram. |
272 | | */ |
273 | 81.6k | if (!PACKET_forward(pkt, hdr->len)) |
274 | 0 | return 0; |
275 | 2.44M | } else { |
276 | | /* Long header. */ |
277 | 2.44M | unsigned long version; |
278 | 2.44M | unsigned int dst_conn_id_len, src_conn_id_len, raw_type; |
279 | | |
280 | 2.44M | if (!PACKET_get_net_4(pkt, &version)) |
281 | 0 | return 0; |
282 | | |
283 | | /* |
284 | | * All QUIC packets must have the fixed bit set, except exceptionally |
285 | | * for Version Negotiation packets. |
286 | | */ |
287 | 2.44M | if (version != 0 && (b0 & 0x40) == 0) |
288 | 5.13k | return 0; |
289 | | |
290 | 2.44M | if (!PACKET_get_1(pkt, &dst_conn_id_len) |
291 | 2.44M | || dst_conn_id_len > QUIC_MAX_CONN_ID_LEN |
292 | 2.44M | || !PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, dst_conn_id_len) |
293 | 2.42M | || !PACKET_get_1(pkt, &src_conn_id_len) |
294 | 2.42M | || src_conn_id_len > QUIC_MAX_CONN_ID_LEN |
295 | 2.40M | || !PACKET_copy_bytes(pkt, hdr->src_conn_id.id, src_conn_id_len)) |
296 | 37.8k | return 0; |
297 | | |
298 | 2.40M | hdr->version = (uint32_t)version; |
299 | 2.40M | hdr->dst_conn_id.id_len = (unsigned char)dst_conn_id_len; |
300 | 2.40M | hdr->src_conn_id.id_len = (unsigned char)src_conn_id_len; |
301 | | |
302 | 2.40M | if (version == 0) { |
303 | | /* |
304 | | * Version negotiation packet. Version negotiation packets are |
305 | | * identified by a version field of 0 and the type bits in the first |
306 | | * byte are ignored (they may take any value, and we ignore them). |
307 | | */ |
308 | 263k | hdr->type = QUIC_PKT_TYPE_VERSION_NEG; |
309 | 263k | hdr->fixed = (b0 & 0x40) != 0; |
310 | | |
311 | 263k | hdr->data = PACKET_data(pkt); |
312 | 263k | hdr->len = PACKET_remaining(pkt); |
313 | | |
314 | | /* |
315 | | * Version negotiation packets must contain an array of u32s, so it |
316 | | * is invalid for their payload length to not be divisible by 4. |
317 | | */ |
318 | 263k | if ((hdr->len % 4) != 0) |
319 | 5.82k | return 0; |
320 | | |
321 | | /* Version negotiation packets are always fully decoded. */ |
322 | 257k | hdr->partial = 0; |
323 | | |
324 | | /* Fields not used in version negotiation packets. */ |
325 | 257k | hdr->pn_len = 0; |
326 | 257k | hdr->spin_bit = 0; |
327 | 257k | hdr->key_phase = 0; |
328 | 257k | hdr->token = NULL; |
329 | 257k | hdr->token_len = 0; |
330 | 257k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
331 | | |
332 | 257k | if (!PACKET_forward(pkt, hdr->len)) |
333 | 0 | return 0; |
334 | 2.14M | } else if (version != QUIC_VERSION_1) { |
335 | | /* Unknown version, do not decode. */ |
336 | 61.5k | return 0; |
337 | 2.07M | } else { |
338 | 2.07M | if (l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
339 | 1.76k | return 0; |
340 | | |
341 | | /* Get long packet type and decode to QUIC_PKT_TYPE_*. */ |
342 | 2.07M | raw_type = ((b0 >> 4) & 0x3); |
343 | | |
344 | 2.07M | switch (raw_type) { |
345 | 1.00M | case 0: |
346 | 1.00M | hdr->type = QUIC_PKT_TYPE_INITIAL; |
347 | 1.00M | break; |
348 | 544 | case 1: |
349 | 544 | hdr->type = QUIC_PKT_TYPE_0RTT; |
350 | 544 | break; |
351 | 93.2k | case 2: |
352 | 93.2k | hdr->type = QUIC_PKT_TYPE_HANDSHAKE; |
353 | 93.2k | break; |
354 | 975k | case 3: |
355 | 975k | hdr->type = QUIC_PKT_TYPE_RETRY; |
356 | 975k | break; |
357 | 2.07M | } |
358 | | |
359 | 2.07M | hdr->pn_len = 0; |
360 | 2.07M | hdr->fixed = 1; |
361 | | |
362 | | /* Fields not used in long-header packets. */ |
363 | 2.07M | hdr->spin_bit = 0; |
364 | 2.07M | hdr->key_phase = 0; |
365 | | |
366 | 2.07M | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
367 | | /* Initial packet. */ |
368 | 1.00M | uint64_t token_len; |
369 | | |
370 | 1.00M | if (!PACKET_get_quic_vlint(pkt, &token_len) |
371 | 1.00M | || token_len > SIZE_MAX |
372 | 1.00M | || !PACKET_get_bytes(pkt, &hdr->token, (size_t)token_len)) |
373 | 1.60k | return 0; |
374 | | |
375 | 1.00M | hdr->token_len = (size_t)token_len; |
376 | 1.00M | if (token_len == 0) |
377 | 1.00M | hdr->token = NULL; |
378 | 1.06M | } else { |
379 | 1.06M | hdr->token = NULL; |
380 | 1.06M | hdr->token_len = 0; |
381 | 1.06M | } |
382 | | |
383 | 2.07M | if (hdr->type == QUIC_PKT_TYPE_RETRY) { |
384 | | /* Retry packet. */ |
385 | 975k | hdr->data = PACKET_data(pkt); |
386 | 975k | hdr->len = PACKET_remaining(pkt); |
387 | | |
388 | | /* Retry packets are always fully decoded. */ |
389 | 975k | hdr->partial = 0; |
390 | | |
391 | | /* Unused bits in Retry header. */ |
392 | 975k | hdr->unused = b0 & 0x0f; |
393 | | |
394 | | /* Fields not used in Retry packets. */ |
395 | 975k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
396 | | |
397 | 975k | if (!PACKET_forward(pkt, hdr->len)) |
398 | 0 | return 0; |
399 | 1.10M | } else { |
400 | | /* Initial, 0-RTT or Handshake packet. */ |
401 | 1.10M | uint64_t len; |
402 | | |
403 | 1.10M | hdr->pn_len = partial ? 0 : ((b0 & 0x03) + 1); |
404 | 1.10M | hdr->reserved = partial ? 0 : ((b0 & 0x0C) >> 2); |
405 | | |
406 | 1.10M | if (!PACKET_get_quic_vlint(pkt, &len) |
407 | 1.10M | || len < sizeof(hdr->pn)) |
408 | 4.52k | return 0; |
409 | | |
410 | 1.09M | if (!nodata && len > PACKET_remaining(pkt)) |
411 | 2.66k | return 0; |
412 | | |
413 | | /* |
414 | | * Skip over the PN. If this is a partial decode, the PN length |
415 | | * field currently has header protection applied. Thus we do not |
416 | | * know the length of the PN but we are allowed to assume it is |
417 | | * 4 bytes long at this stage. |
418 | | */ |
419 | 1.09M | pn = (unsigned char *)PACKET_data(pkt); |
420 | 1.09M | memset(hdr->pn, 0, sizeof(hdr->pn)); |
421 | 1.09M | if (partial) { |
422 | 586k | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
423 | 0 | return 0; |
424 | | |
425 | 586k | hdr->len = (size_t)(len - sizeof(hdr->pn)); |
426 | 586k | } else { |
427 | 506k | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
428 | 0 | return 0; |
429 | | |
430 | 506k | hdr->len = (size_t)(len - hdr->pn_len); |
431 | 506k | } |
432 | | |
433 | 1.09M | if (nodata) { |
434 | 0 | hdr->data = NULL; |
435 | 1.09M | } else { |
436 | 1.09M | hdr->data = PACKET_data(pkt); |
437 | | |
438 | | /* Skip over packet body. */ |
439 | 1.09M | if (!PACKET_forward(pkt, hdr->len)) |
440 | 0 | return 0; |
441 | 1.09M | } |
442 | 1.09M | } |
443 | 2.07M | } |
444 | 2.40M | } |
445 | | |
446 | 2.40M | if (ptrs != NULL) { |
447 | 1.87M | ptrs->raw_pn = pn; |
448 | 1.87M | if (pn != NULL) { |
449 | 640k | ptrs->raw_sample = pn + 4; |
450 | 640k | ptrs->raw_sample_len = PACKET_end(pkt) - ptrs->raw_sample; |
451 | 640k | } |
452 | 1.87M | } |
453 | | |
454 | 2.40M | return 1; |
455 | 2.65M | } |
456 | | |
457 | | int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, |
458 | | size_t short_conn_id_len, |
459 | | const QUIC_PKT_HDR *hdr, |
460 | | QUIC_PKT_HDR_PTRS *ptrs) |
461 | 960k | { |
462 | 960k | unsigned char b0; |
463 | 960k | size_t off_start, off_sample, off_pn; |
464 | 960k | unsigned char *start = WPACKET_get_curr(pkt); |
465 | | |
466 | 960k | if (!WPACKET_get_total_written(pkt, &off_start)) |
467 | 0 | return 0; |
468 | | |
469 | 960k | if (ptrs != NULL) { |
470 | | /* ptrs would not be stable on non-static WPACKET */ |
471 | 869k | if (!ossl_assert(pkt->staticbuf != NULL)) |
472 | 0 | return 0; |
473 | 869k | ptrs->raw_start = NULL; |
474 | 869k | ptrs->raw_sample = NULL; |
475 | 869k | ptrs->raw_sample_len = 0; |
476 | 869k | ptrs->raw_pn = 0; |
477 | 869k | } |
478 | | |
479 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
480 | 960k | if (hdr->partial |
481 | 960k | || (hdr->type == QUIC_PKT_TYPE_1RTT |
482 | 139k | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
483 | 0 | return 0; |
484 | | |
485 | 960k | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
486 | | /* Short header. */ |
487 | | |
488 | | /* |
489 | | * Cannot serialize a header whose DCID length is wrong, or with an |
490 | | * invalid PN length. |
491 | | */ |
492 | 139k | if (hdr->dst_conn_id.id_len != short_conn_id_len |
493 | 139k | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
494 | 139k | || hdr->pn_len < 1 || hdr->pn_len > 4) |
495 | 0 | return 0; |
496 | | |
497 | 139k | b0 = (hdr->spin_bit << 5) |
498 | 139k | | (hdr->key_phase << 2) |
499 | 139k | | (hdr->pn_len - 1) |
500 | 139k | | (hdr->reserved << 3) |
501 | 139k | | 0x40; /* fixed bit */ |
502 | | |
503 | 139k | if (!WPACKET_put_bytes_u8(pkt, b0) |
504 | 139k | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, short_conn_id_len) |
505 | 139k | || !WPACKET_get_total_written(pkt, &off_pn) |
506 | 139k | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
507 | 0 | return 0; |
508 | 821k | } else { |
509 | | /* Long header. */ |
510 | 821k | unsigned int raw_type; |
511 | | |
512 | 821k | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
513 | 821k | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
514 | 0 | return 0; |
515 | | |
516 | 821k | if (ossl_quic_pkt_type_has_pn(hdr->type) |
517 | 730k | && (hdr->pn_len < 1 || hdr->pn_len > 4)) |
518 | 0 | return 0; |
519 | | |
520 | 821k | switch (hdr->type) { |
521 | 0 | case QUIC_PKT_TYPE_VERSION_NEG: |
522 | 0 | if (hdr->version != 0) |
523 | 0 | return 0; |
524 | | |
525 | | /* Version negotiation packets use zero for the type bits */ |
526 | 0 | raw_type = 0; |
527 | 0 | break; |
528 | | |
529 | 619k | case QUIC_PKT_TYPE_INITIAL: |
530 | 619k | raw_type = 0; |
531 | 619k | break; |
532 | 0 | case QUIC_PKT_TYPE_0RTT: |
533 | 0 | raw_type = 1; |
534 | 0 | break; |
535 | 111k | case QUIC_PKT_TYPE_HANDSHAKE: |
536 | 111k | raw_type = 2; |
537 | 111k | break; |
538 | 91.2k | case QUIC_PKT_TYPE_RETRY: |
539 | 91.2k | raw_type = 3; |
540 | 91.2k | break; |
541 | 0 | default: |
542 | 0 | return 0; |
543 | 821k | } |
544 | | |
545 | 821k | b0 = (raw_type << 4) | 0x80; /* long */ |
546 | 821k | if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG || hdr->fixed) |
547 | 821k | b0 |= 0x40; /* fixed */ |
548 | 821k | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
549 | 730k | b0 |= hdr->pn_len - 1; |
550 | 730k | b0 |= (hdr->reserved << 2); |
551 | 730k | } |
552 | 821k | if (hdr->type == QUIC_PKT_TYPE_RETRY) |
553 | 91.2k | b0 |= hdr->unused; |
554 | | |
555 | 821k | if (!WPACKET_put_bytes_u8(pkt, b0) |
556 | 821k | || !WPACKET_put_bytes_u32(pkt, hdr->version) |
557 | 821k | || !WPACKET_put_bytes_u8(pkt, hdr->dst_conn_id.id_len) |
558 | 821k | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, |
559 | 821k | hdr->dst_conn_id.id_len) |
560 | 821k | || !WPACKET_put_bytes_u8(pkt, hdr->src_conn_id.id_len) |
561 | 821k | || !WPACKET_memcpy(pkt, hdr->src_conn_id.id, |
562 | 821k | hdr->src_conn_id.id_len)) |
563 | 0 | return 0; |
564 | | |
565 | 821k | if (hdr->type == QUIC_PKT_TYPE_VERSION_NEG |
566 | 821k | || hdr->type == QUIC_PKT_TYPE_RETRY) { |
567 | 91.2k | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
568 | 0 | return 0; |
569 | | |
570 | 91.2k | return 1; |
571 | 91.2k | } |
572 | | |
573 | 730k | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
574 | 619k | if (!WPACKET_quic_write_vlint(pkt, hdr->token_len) |
575 | 619k | || !WPACKET_memcpy(pkt, hdr->token, hdr->token_len)) |
576 | 0 | return 0; |
577 | 619k | } |
578 | | |
579 | 730k | if (!WPACKET_quic_write_vlint(pkt, hdr->len + hdr->pn_len) |
580 | 730k | || !WPACKET_get_total_written(pkt, &off_pn) |
581 | 730k | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
582 | 0 | return 0; |
583 | 730k | } |
584 | | |
585 | 869k | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
586 | 0 | return 0; |
587 | | |
588 | 869k | off_sample = off_pn + 4; |
589 | | |
590 | 869k | if (ptrs != NULL) { |
591 | 869k | ptrs->raw_start = start; |
592 | 869k | ptrs->raw_sample = start + (off_sample - off_start); |
593 | 869k | ptrs->raw_sample_len |
594 | 869k | = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample; |
595 | 869k | ptrs->raw_pn = start + (off_pn - off_start); |
596 | 869k | } |
597 | | |
598 | 869k | return 1; |
599 | 869k | } |
600 | | |
601 | | int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, |
602 | | const QUIC_PKT_HDR *hdr) |
603 | 52.8M | { |
604 | 52.8M | size_t len = 0, enclen; |
605 | | |
606 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
607 | 52.8M | if (hdr->partial |
608 | 52.8M | || (hdr->type == QUIC_PKT_TYPE_1RTT |
609 | 13.0M | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
610 | 0 | return 0; |
611 | | |
612 | 52.8M | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
613 | | /* Short header. */ |
614 | | |
615 | | /* |
616 | | * Cannot serialize a header whose DCID length is wrong, or with an |
617 | | * invalid PN length. |
618 | | */ |
619 | 13.0M | if (hdr->dst_conn_id.id_len != short_conn_id_len |
620 | 13.0M | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
621 | 13.0M | || hdr->pn_len < 1 || hdr->pn_len > 4) |
622 | 0 | return 0; |
623 | | |
624 | 13.0M | return 1 + short_conn_id_len + hdr->pn_len; |
625 | 39.7M | } else { |
626 | | /* Long header. */ |
627 | 39.7M | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
628 | 39.7M | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
629 | 0 | return 0; |
630 | | |
631 | 39.7M | len += 1 /* Initial byte */ + 4 /* Version */ |
632 | 39.7M | + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */ |
633 | 39.7M | + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */ |
634 | 39.7M | ; |
635 | | |
636 | 39.7M | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
637 | 39.7M | if (hdr->pn_len < 1 || hdr->pn_len > 4) |
638 | 0 | return 0; |
639 | | |
640 | 39.7M | len += hdr->pn_len; |
641 | 39.7M | } |
642 | | |
643 | 39.7M | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
644 | 37.2M | enclen = ossl_quic_vlint_encode_len(hdr->token_len); |
645 | 37.2M | if (!enclen) |
646 | 0 | return 0; |
647 | | |
648 | 37.2M | len += enclen + hdr->token_len; |
649 | 37.2M | } |
650 | | |
651 | 39.7M | if (!ossl_quic_pkt_type_must_be_last(hdr->type)) { |
652 | 39.7M | enclen = ossl_quic_vlint_encode_len(hdr->len + hdr->pn_len); |
653 | 39.7M | if (!enclen) |
654 | 0 | return 0; |
655 | | |
656 | 39.7M | len += enclen; |
657 | 39.7M | } |
658 | | |
659 | 39.7M | return len; |
660 | 39.7M | } |
661 | 52.8M | } |
662 | | |
663 | | int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, |
664 | | size_t buf_len, |
665 | | size_t short_conn_id_len, |
666 | | QUIC_CONN_ID *dst_conn_id) |
667 | 11.7M | { |
668 | 11.7M | unsigned char b0; |
669 | 11.7M | size_t blen; |
670 | | |
671 | 11.7M | if (buf_len < QUIC_MIN_VALID_PKT_LEN |
672 | 5.59M | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
673 | 6.15M | return 0; |
674 | | |
675 | 5.59M | b0 = buf[0]; |
676 | 5.59M | if ((b0 & 0x80) != 0) { |
677 | | /* |
678 | | * Long header. We need 6 bytes (initial byte, 4 version bytes, DCID |
679 | | * length byte to begin with). This is covered by the buf_len test |
680 | | * above. |
681 | | */ |
682 | | |
683 | | /* |
684 | | * If the version field is non-zero (meaning that this is not a Version |
685 | | * Negotiation packet), the fixed bit must be set. |
686 | | */ |
687 | 5.00M | if ((buf[1] || buf[2] || buf[3] || buf[4]) && (b0 & 0x40) == 0) |
688 | 8.47k | return 0; |
689 | | |
690 | 4.99M | blen = (size_t)buf[5]; /* DCID Length */ |
691 | 4.99M | if (blen > QUIC_MAX_CONN_ID_LEN |
692 | 4.45M | || buf_len < QUIC_MIN_VALID_PKT_LEN + blen) |
693 | 542k | return 0; |
694 | | |
695 | 4.45M | dst_conn_id->id_len = (unsigned char)blen; |
696 | 4.45M | memcpy(dst_conn_id->id, buf + 6, blen); |
697 | 4.45M | return 1; |
698 | 4.99M | } else { |
699 | | /* Short header. */ |
700 | 588k | if ((b0 & 0x40) == 0) |
701 | | /* Fixed bit not set, not a valid QUIC packet header. */ |
702 | 487k | return 0; |
703 | | |
704 | 100k | if (buf_len < QUIC_MIN_VALID_PKT_LEN_CRYPTO + short_conn_id_len) |
705 | 1.04k | return 0; |
706 | | |
707 | 99.7k | dst_conn_id->id_len = (unsigned char)short_conn_id_len; |
708 | 99.7k | memcpy(dst_conn_id->id, buf + 1, short_conn_id_len); |
709 | 99.7k | return 1; |
710 | 100k | } |
711 | 5.59M | } |
712 | | |
713 | | int ossl_quic_wire_decode_pkt_hdr_pn(const unsigned char *enc_pn, |
714 | | size_t enc_pn_len, |
715 | | QUIC_PN largest_pn, |
716 | | QUIC_PN *res_pn) |
717 | 1.19M | { |
718 | 1.19M | int64_t expected_pn, truncated_pn, candidate_pn, pn_win, pn_hwin, pn_mask; |
719 | | |
720 | 1.19M | switch (enc_pn_len) { |
721 | 40.8k | case 1: |
722 | 40.8k | truncated_pn = enc_pn[0]; |
723 | 40.8k | break; |
724 | 2.36k | case 2: |
725 | 2.36k | truncated_pn = ((QUIC_PN)enc_pn[0] << 8) |
726 | 2.36k | | (QUIC_PN)enc_pn[1]; |
727 | 2.36k | break; |
728 | 397k | case 3: |
729 | 397k | truncated_pn = ((QUIC_PN)enc_pn[0] << 16) |
730 | 397k | | ((QUIC_PN)enc_pn[1] << 8) |
731 | 397k | | (QUIC_PN)enc_pn[2]; |
732 | 397k | break; |
733 | 754k | case 4: |
734 | 754k | truncated_pn = ((QUIC_PN)enc_pn[0] << 24) |
735 | 754k | | ((QUIC_PN)enc_pn[1] << 16) |
736 | 754k | | ((QUIC_PN)enc_pn[2] << 8) |
737 | 754k | | (QUIC_PN)enc_pn[3]; |
738 | 754k | break; |
739 | 0 | default: |
740 | 0 | return 0; |
741 | 1.19M | } |
742 | | |
743 | | /* Implemented as per RFC 9000 Section A.3. */ |
744 | 1.19M | expected_pn = largest_pn + 1; |
745 | 1.19M | pn_win = ((int64_t)1) << (enc_pn_len * 8); |
746 | 1.19M | pn_hwin = pn_win / 2; |
747 | 1.19M | pn_mask = pn_win - 1; |
748 | 1.19M | candidate_pn = (expected_pn & ~pn_mask) | truncated_pn; |
749 | 1.19M | if (candidate_pn <= expected_pn - pn_hwin |
750 | 170k | && candidate_pn < (((int64_t)1) << 62) - pn_win) |
751 | 170k | *res_pn = candidate_pn + pn_win; |
752 | 1.02M | else if (candidate_pn > expected_pn + pn_hwin |
753 | 76.5k | && candidate_pn >= pn_win) |
754 | 66.5k | *res_pn = candidate_pn - pn_win; |
755 | 958k | else |
756 | 958k | *res_pn = candidate_pn; |
757 | 1.19M | return 1; |
758 | 1.19M | } |
759 | | |
760 | | /* From RFC 9000 Section A.2. Simplified implementation. */ |
761 | | int ossl_quic_wire_determine_pn_len(QUIC_PN pn, |
762 | | QUIC_PN largest_acked) |
763 | 0 | { |
764 | 0 | uint64_t num_unacked |
765 | 0 | = (largest_acked == QUIC_PN_INVALID) ? pn + 1 : pn - largest_acked; |
766 | | |
767 | | /* |
768 | | * num_unacked \in [ 0, 2** 7] -> 1 byte |
769 | | * num_unacked \in (2** 7, 2**15] -> 2 bytes |
770 | | * num_unacked \in (2**15, 2**23] -> 3 bytes |
771 | | * num_unacked \in (2**23, ] -> 4 bytes |
772 | | */ |
773 | |
|
774 | 0 | if (num_unacked <= (1U << 7)) |
775 | 0 | return 1; |
776 | 0 | if (num_unacked <= (1U << 15)) |
777 | 0 | return 2; |
778 | 0 | if (num_unacked <= (1U << 23)) |
779 | 0 | return 3; |
780 | 0 | return 4; |
781 | 0 | } |
782 | | |
783 | | int ossl_quic_wire_encode_pkt_hdr_pn(QUIC_PN pn, |
784 | | unsigned char *enc_pn, |
785 | | size_t enc_pn_len) |
786 | 2.07M | { |
787 | 2.07M | switch (enc_pn_len) { |
788 | 0 | case 1: |
789 | 0 | enc_pn[0] = (unsigned char)pn; |
790 | 0 | break; |
791 | 0 | case 2: |
792 | 0 | enc_pn[1] = (unsigned char)pn; |
793 | 0 | enc_pn[0] = (unsigned char)(pn >> 8); |
794 | 0 | break; |
795 | 0 | case 3: |
796 | 0 | enc_pn[2] = (unsigned char)pn; |
797 | 0 | enc_pn[1] = (unsigned char)(pn >> 8); |
798 | 0 | enc_pn[0] = (unsigned char)(pn >> 16); |
799 | 0 | break; |
800 | 2.07M | case 4: |
801 | 2.07M | enc_pn[3] = (unsigned char)pn; |
802 | 2.07M | enc_pn[2] = (unsigned char)(pn >> 8); |
803 | 2.07M | enc_pn[1] = (unsigned char)(pn >> 16); |
804 | 2.07M | enc_pn[0] = (unsigned char)(pn >> 24); |
805 | 2.07M | break; |
806 | 0 | default: |
807 | 0 | return 0; |
808 | 2.07M | } |
809 | | |
810 | 2.07M | return 1; |
811 | 2.07M | } |
812 | | |
813 | | int ossl_quic_validate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
814 | | const char *propq, |
815 | | const QUIC_PKT_HDR *hdr, |
816 | | const QUIC_CONN_ID *client_initial_dcid) |
817 | 332k | { |
818 | 332k | unsigned char expected_tag[QUIC_RETRY_INTEGRITY_TAG_LEN]; |
819 | 332k | const unsigned char *actual_tag; |
820 | | |
821 | 332k | if (hdr == NULL || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN) |
822 | 0 | return 0; |
823 | | |
824 | 332k | if (!ossl_quic_calculate_retry_integrity_tag(libctx, propq, |
825 | 332k | hdr, client_initial_dcid, |
826 | 332k | expected_tag)) |
827 | 0 | return 0; |
828 | | |
829 | 332k | actual_tag = hdr->data + hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN; |
830 | | |
831 | 332k | return !CRYPTO_memcmp(expected_tag, actual_tag, |
832 | 332k | QUIC_RETRY_INTEGRITY_TAG_LEN); |
833 | 332k | } |
834 | | |
835 | | /* RFC 9001 s. 5.8 */ |
836 | | static const unsigned char retry_integrity_key[] = { |
837 | | 0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, |
838 | | 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e |
839 | | }; |
840 | | |
841 | | static const unsigned char retry_integrity_nonce[] = { |
842 | | 0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, |
843 | | 0x23, 0x98, 0x25, 0xbb |
844 | | }; |
845 | | |
846 | | int ossl_quic_calculate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
847 | | const char *propq, |
848 | | const QUIC_PKT_HDR *hdr, |
849 | | const QUIC_CONN_ID *client_initial_dcid, |
850 | | unsigned char *tag) |
851 | 332k | { |
852 | 332k | EVP_CIPHER *cipher = NULL; |
853 | 332k | EVP_CIPHER_CTX *cctx = NULL; |
854 | 332k | int ok = 0, l = 0, l2 = 0, wpkt_valid = 0; |
855 | 332k | WPACKET wpkt; |
856 | | /* Worst case length of the Retry Psuedo-Packet header is 68 bytes. */ |
857 | 332k | unsigned char buf[128]; |
858 | 332k | QUIC_PKT_HDR hdr2; |
859 | 332k | size_t hdr_enc_len = 0; |
860 | | |
861 | 332k | if (hdr->type != QUIC_PKT_TYPE_RETRY || hdr->version == 0 |
862 | 332k | || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN |
863 | 332k | || hdr->data == NULL |
864 | 332k | || client_initial_dcid == NULL || tag == NULL |
865 | 332k | || client_initial_dcid->id_len > QUIC_MAX_CONN_ID_LEN) { |
866 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
867 | 0 | goto err; |
868 | 0 | } |
869 | | |
870 | | /* |
871 | | * Do not reserve packet body in WPACKET. Retry packet header |
872 | | * does not contain a Length field so this does not affect |
873 | | * the serialized packet header. |
874 | | */ |
875 | 332k | hdr2 = *hdr; |
876 | 332k | hdr2.len = 0; |
877 | | |
878 | | /* Assemble retry psuedo-packet. */ |
879 | 332k | if (!WPACKET_init_static_len(&wpkt, buf, sizeof(buf), 0)) { |
880 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
881 | 0 | goto err; |
882 | 0 | } |
883 | | |
884 | 332k | wpkt_valid = 1; |
885 | | |
886 | | /* Prepend original DCID to the packet. */ |
887 | 332k | if (!WPACKET_put_bytes_u8(&wpkt, client_initial_dcid->id_len) |
888 | 332k | || !WPACKET_memcpy(&wpkt, client_initial_dcid->id, |
889 | 332k | client_initial_dcid->id_len)) { |
890 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
891 | 0 | goto err; |
892 | 0 | } |
893 | | |
894 | | /* Encode main retry header. */ |
895 | 332k | if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, hdr2.dst_conn_id.id_len, |
896 | 332k | &hdr2, NULL)) |
897 | 0 | goto err; |
898 | | |
899 | 332k | if (!WPACKET_get_total_written(&wpkt, &hdr_enc_len)) { |
900 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
901 | 0 | goto err; |
902 | 0 | } |
903 | | |
904 | | /* Create and initialise cipher context. */ |
905 | | /* TODO(QUIC FUTURE): Cipher fetch caching. */ |
906 | 332k | if ((cipher = EVP_CIPHER_fetch(libctx, "AES-128-GCM", propq)) == NULL) { |
907 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
908 | 0 | goto err; |
909 | 0 | } |
910 | | |
911 | 332k | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
912 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
913 | 0 | goto err; |
914 | 0 | } |
915 | | |
916 | 332k | if (!EVP_CipherInit_ex(cctx, cipher, NULL, |
917 | 332k | retry_integrity_key, retry_integrity_nonce, /*enc=*/1)) { |
918 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
919 | 0 | goto err; |
920 | 0 | } |
921 | | |
922 | | /* Feed packet header as AAD data. */ |
923 | 332k | if (EVP_CipherUpdate(cctx, NULL, &l, buf, hdr_enc_len) != 1) { |
924 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
925 | 0 | goto err; |
926 | 0 | } |
927 | | |
928 | | /* Feed packet body as AAD data. */ |
929 | 332k | if (EVP_CipherUpdate(cctx, NULL, &l, hdr->data, |
930 | 332k | hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN) |
931 | 332k | != 1) { |
932 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
933 | 0 | goto err; |
934 | 0 | } |
935 | | |
936 | | /* Finalise and get tag. */ |
937 | 332k | if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { |
938 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
939 | 0 | goto err; |
940 | 0 | } |
941 | | |
942 | 332k | if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, |
943 | 332k | QUIC_RETRY_INTEGRITY_TAG_LEN, |
944 | 332k | tag) |
945 | 332k | != 1) { |
946 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
947 | 0 | goto err; |
948 | 0 | } |
949 | | |
950 | 332k | ok = 1; |
951 | 332k | err: |
952 | 332k | EVP_CIPHER_free(cipher); |
953 | 332k | EVP_CIPHER_CTX_free(cctx); |
954 | 332k | if (wpkt_valid) |
955 | 332k | WPACKET_finish(&wpkt); |
956 | | |
957 | 332k | return ok; |
958 | 332k | } |