/src/openssl35/ssl/quic/quic_wire_pkt.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/err.h> |
11 | | #include "internal/common.h" |
12 | | #include "internal/quic_wire_pkt.h" |
13 | | |
14 | | int ossl_quic_hdr_protector_init(QUIC_HDR_PROTECTOR *hpr, |
15 | | OSSL_LIB_CTX *libctx, |
16 | | const char *propq, |
17 | | uint32_t cipher_id, |
18 | | const unsigned char *quic_hp_key, |
19 | | size_t quic_hp_key_len) |
20 | 176k | { |
21 | 176k | const char *cipher_name = NULL; |
22 | | |
23 | 176k | switch (cipher_id) { |
24 | 104k | case QUIC_HDR_PROT_CIPHER_AES_128: |
25 | 104k | cipher_name = "AES-128-ECB"; |
26 | 104k | break; |
27 | 67.6k | case QUIC_HDR_PROT_CIPHER_AES_256: |
28 | 67.6k | cipher_name = "AES-256-ECB"; |
29 | 67.6k | break; |
30 | 3.92k | case QUIC_HDR_PROT_CIPHER_CHACHA: |
31 | 3.92k | cipher_name = "ChaCha20"; |
32 | 3.92k | break; |
33 | 0 | default: |
34 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_UNSUPPORTED); |
35 | 0 | return 0; |
36 | 176k | } |
37 | | |
38 | 176k | hpr->cipher_ctx = EVP_CIPHER_CTX_new(); |
39 | 176k | if (hpr->cipher_ctx == NULL) { |
40 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
41 | 0 | return 0; |
42 | 0 | } |
43 | | |
44 | 176k | hpr->cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq); |
45 | 176k | if (hpr->cipher == NULL |
46 | 176k | || quic_hp_key_len != (size_t)EVP_CIPHER_get_key_length(hpr->cipher)) { |
47 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
48 | 0 | goto err; |
49 | 0 | } |
50 | | |
51 | 176k | if (!EVP_CipherInit_ex(hpr->cipher_ctx, hpr->cipher, NULL, |
52 | 176k | quic_hp_key, NULL, 1)) { |
53 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
54 | 0 | goto err; |
55 | 0 | } |
56 | | |
57 | 176k | hpr->libctx = libctx; |
58 | 176k | hpr->propq = propq; |
59 | 176k | hpr->cipher_id = cipher_id; |
60 | 176k | return 1; |
61 | | |
62 | 0 | err: |
63 | 0 | ossl_quic_hdr_protector_cleanup(hpr); |
64 | 0 | return 0; |
65 | 176k | } |
66 | | |
67 | | void ossl_quic_hdr_protector_cleanup(QUIC_HDR_PROTECTOR *hpr) |
68 | 176k | { |
69 | 176k | EVP_CIPHER_CTX_free(hpr->cipher_ctx); |
70 | 176k | hpr->cipher_ctx = NULL; |
71 | | |
72 | 176k | EVP_CIPHER_free(hpr->cipher); |
73 | 176k | hpr->cipher = NULL; |
74 | 176k | } |
75 | | |
76 | | static int hdr_generate_mask(QUIC_HDR_PROTECTOR *hpr, |
77 | | const unsigned char *sample, size_t sample_len, |
78 | | unsigned char *mask) |
79 | 3.27M | { |
80 | 3.27M | int l = 0; |
81 | 3.27M | unsigned char dst[16]; |
82 | 3.27M | static const unsigned char zeroes[5] = { 0 }; |
83 | 3.27M | size_t i; |
84 | | |
85 | 3.27M | if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_128 |
86 | 3.17M | || hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_256) { |
87 | 3.17M | if (sample_len < 16) { |
88 | 3.19k | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
89 | 3.19k | return 0; |
90 | 3.19k | } |
91 | | |
92 | 3.16M | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, NULL, 1) |
93 | 3.16M | || !EVP_CipherUpdate(hpr->cipher_ctx, dst, &l, sample, 16)) { |
94 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
95 | 0 | return 0; |
96 | 0 | } |
97 | | |
98 | 19.0M | for (i = 0; i < 5; ++i) |
99 | 15.8M | mask[i] = dst[i]; |
100 | 3.16M | } else if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_CHACHA) { |
101 | 104k | if (sample_len < 16) { |
102 | 2.64k | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
103 | 2.64k | return 0; |
104 | 2.64k | } |
105 | | |
106 | 101k | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, sample, 1) |
107 | 101k | || !EVP_CipherUpdate(hpr->cipher_ctx, mask, &l, |
108 | 101k | zeroes, sizeof(zeroes))) { |
109 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
110 | 0 | return 0; |
111 | 0 | } |
112 | 101k | } else { |
113 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
114 | 0 | assert(0); |
115 | 0 | return 0; |
116 | 0 | } |
117 | | |
118 | 3.26M | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
119 | | /* No matter what we did above we use the same mask in fuzzing mode */ |
120 | 3.26M | memset(mask, 0, 5); |
121 | 3.26M | #endif |
122 | | |
123 | 3.26M | return 1; |
124 | 3.27M | } |
125 | | |
126 | | int ossl_quic_hdr_protector_decrypt(QUIC_HDR_PROTECTOR *hpr, |
127 | | QUIC_PKT_HDR_PTRS *ptrs) |
128 | 1.20M | { |
129 | 1.20M | return ossl_quic_hdr_protector_decrypt_fields(hpr, |
130 | 1.20M | ptrs->raw_sample, |
131 | 1.20M | ptrs->raw_sample_len, |
132 | 1.20M | ptrs->raw_start, |
133 | 1.20M | ptrs->raw_pn); |
134 | 1.20M | } |
135 | | |
136 | | int ossl_quic_hdr_protector_decrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
137 | | const unsigned char *sample, |
138 | | size_t sample_len, |
139 | | unsigned char *first_byte, |
140 | | unsigned char *pn_bytes) |
141 | 1.20M | { |
142 | 1.20M | unsigned char mask[5], pn_len, i; |
143 | | |
144 | 1.20M | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
145 | 5.83k | return 0; |
146 | | |
147 | 1.19M | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
148 | 1.19M | pn_len = (*first_byte & 0x3) + 1; |
149 | | |
150 | 5.45M | for (i = 0; i < pn_len; ++i) |
151 | 4.25M | pn_bytes[i] ^= mask[i + 1]; |
152 | | |
153 | 1.19M | return 1; |
154 | 1.20M | } |
155 | | |
156 | | int ossl_quic_hdr_protector_encrypt(QUIC_HDR_PROTECTOR *hpr, |
157 | | QUIC_PKT_HDR_PTRS *ptrs) |
158 | 2.07M | { |
159 | 2.07M | return ossl_quic_hdr_protector_encrypt_fields(hpr, |
160 | 2.07M | ptrs->raw_sample, |
161 | 2.07M | ptrs->raw_sample_len, |
162 | 2.07M | ptrs->raw_start, |
163 | 2.07M | ptrs->raw_pn); |
164 | 2.07M | } |
165 | | |
166 | | int ossl_quic_hdr_protector_encrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
167 | | const unsigned char *sample, |
168 | | size_t sample_len, |
169 | | unsigned char *first_byte, |
170 | | unsigned char *pn_bytes) |
171 | 2.07M | { |
172 | 2.07M | unsigned char mask[5], pn_len, i; |
173 | | |
174 | 2.07M | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
175 | 0 | return 0; |
176 | | |
177 | 2.07M | pn_len = (*first_byte & 0x3) + 1; |
178 | 10.3M | for (i = 0; i < pn_len; ++i) |
179 | 8.29M | pn_bytes[i] ^= mask[i + 1]; |
180 | | |
181 | 2.07M | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
182 | 2.07M | return 1; |
183 | 2.07M | } |
184 | | |
185 | | int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt, |
186 | | size_t short_conn_id_len, |
187 | | int partial, |
188 | | int nodata, |
189 | | QUIC_PKT_HDR *hdr, |
190 | | QUIC_PKT_HDR_PTRS *ptrs, |
191 | | uint64_t *fail_cause) |
192 | 3.63M | { |
193 | 3.63M | unsigned int b0; |
194 | 3.63M | unsigned char *pn = NULL; |
195 | 3.63M | size_t l = PACKET_remaining(pkt); |
196 | | |
197 | 3.63M | if (fail_cause != NULL) |
198 | 0 | *fail_cause = QUIC_PKT_HDR_DECODE_DECODE_ERR; |
199 | | |
200 | 3.63M | if (ptrs != NULL) { |
201 | 2.97M | ptrs->raw_start = (unsigned char *)PACKET_data(pkt); |
202 | 2.97M | ptrs->raw_sample = NULL; |
203 | 2.97M | ptrs->raw_sample_len = 0; |
204 | 2.97M | ptrs->raw_pn = NULL; |
205 | 2.97M | } |
206 | | |
207 | 3.63M | if (l < QUIC_MIN_VALID_PKT_LEN |
208 | 3.63M | || !PACKET_get_1(pkt, &b0)) |
209 | 0 | return 0; |
210 | | |
211 | 3.63M | hdr->partial = partial; |
212 | 3.63M | hdr->unused = 0; |
213 | 3.63M | hdr->reserved = 0; |
214 | | |
215 | 3.63M | if ((b0 & 0x80) == 0) { |
216 | | /* Short header. */ |
217 | 233k | if (short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
218 | 0 | return 0; |
219 | | |
220 | 233k | if ((b0 & 0x40) == 0 /* fixed bit not set? */ |
221 | 140k | || l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
222 | 108k | return 0; |
223 | | |
224 | 124k | hdr->type = QUIC_PKT_TYPE_1RTT; |
225 | 124k | hdr->fixed = 1; |
226 | 124k | hdr->spin_bit = (b0 & 0x20) != 0; |
227 | 124k | if (partial) { |
228 | 68.4k | hdr->key_phase = 0; /* protected, zero for now */ |
229 | 68.4k | hdr->pn_len = 0; /* protected, zero for now */ |
230 | 68.4k | hdr->reserved = 0; /* protected, zero for now */ |
231 | 68.4k | } else { |
232 | 56.4k | hdr->key_phase = (b0 & 0x04) != 0; |
233 | 56.4k | hdr->pn_len = (b0 & 0x03) + 1; |
234 | 56.4k | hdr->reserved = (b0 & 0x18) >> 3; |
235 | 56.4k | } |
236 | | |
237 | | /* Copy destination connection ID field to header structure. */ |
238 | 124k | if (!PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, short_conn_id_len)) |
239 | 0 | return 0; |
240 | | |
241 | 124k | hdr->dst_conn_id.id_len = (unsigned char)short_conn_id_len; |
242 | | |
243 | | /* |
244 | | * Skip over the PN. If this is a partial decode, the PN length field |
245 | | * currently has header protection applied. Thus we do not know the |
246 | | * length of the PN but we are allowed to assume it is 4 bytes long at |
247 | | * this stage. |
248 | | */ |
249 | 124k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
250 | 124k | pn = (unsigned char *)PACKET_data(pkt); |
251 | 124k | if (partial) { |
252 | 68.4k | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
253 | 0 | return 0; |
254 | 68.4k | } else { |
255 | 56.4k | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
256 | 0 | return 0; |
257 | 56.4k | } |
258 | | |
259 | | /* Fields not used in short-header packets. */ |
260 | 124k | hdr->version = 0; |
261 | 124k | hdr->src_conn_id.id_len = 0; |
262 | 124k | hdr->token = NULL; |
263 | 124k | hdr->token_len = 0; |
264 | | |
265 | | /* |
266 | | * Short-header packets always come last in a datagram, the length |
267 | | * is the remainder of the buffer. |
268 | | */ |
269 | 124k | hdr->len = PACKET_remaining(pkt); |
270 | 124k | hdr->data = PACKET_data(pkt); |
271 | | |
272 | | /* |
273 | | * Skip over payload. Since this is a short header packet, which cannot |
274 | | * be followed by any other kind of packet, this advances us to the end |
275 | | * of the datagram. |
276 | | */ |
277 | 124k | if (!PACKET_forward(pkt, hdr->len)) |
278 | 0 | return 0; |
279 | 3.40M | } else { |
280 | | /* Long header. */ |
281 | 3.40M | unsigned long version; |
282 | 3.40M | unsigned int dst_conn_id_len, src_conn_id_len, raw_type; |
283 | | |
284 | 3.40M | if (!PACKET_get_net_4(pkt, &version)) |
285 | 0 | return 0; |
286 | | |
287 | | /* |
288 | | * All QUIC packets must have the fixed bit set, except exceptionally |
289 | | * for Version Negotiation packets. |
290 | | */ |
291 | 3.40M | if (version != 0 && (b0 & 0x40) == 0) |
292 | 11.1k | return 0; |
293 | | |
294 | 3.39M | if (!PACKET_get_1(pkt, &dst_conn_id_len) |
295 | 3.39M | || dst_conn_id_len > QUIC_MAX_CONN_ID_LEN |
296 | 3.39M | || !PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, dst_conn_id_len) |
297 | 3.36M | || !PACKET_get_1(pkt, &src_conn_id_len) |
298 | 3.36M | || src_conn_id_len > QUIC_MAX_CONN_ID_LEN |
299 | 3.33M | || !PACKET_copy_bytes(pkt, hdr->src_conn_id.id, src_conn_id_len)) |
300 | 70.2k | return 0; |
301 | | |
302 | 3.32M | hdr->version = (uint32_t)version; |
303 | 3.32M | hdr->dst_conn_id.id_len = (unsigned char)dst_conn_id_len; |
304 | 3.32M | hdr->src_conn_id.id_len = (unsigned char)src_conn_id_len; |
305 | | |
306 | 3.32M | if (version == 0) { |
307 | | /* |
308 | | * Version negotiation packet. Version negotiation packets are |
309 | | * identified by a version field of 0 and the type bits in the first |
310 | | * byte are ignored (they may take any value, and we ignore them). |
311 | | */ |
312 | 427k | hdr->type = QUIC_PKT_TYPE_VERSION_NEG; |
313 | 427k | hdr->fixed = (b0 & 0x40) != 0; |
314 | | |
315 | 427k | hdr->data = PACKET_data(pkt); |
316 | 427k | hdr->len = PACKET_remaining(pkt); |
317 | | |
318 | | /* |
319 | | * Version negotiation packets must contain an array of u32s, so it |
320 | | * is invalid for their payload length to not be divisible by 4. |
321 | | */ |
322 | 427k | if ((hdr->len % 4) != 0) |
323 | 8.55k | return 0; |
324 | | |
325 | | /* Version negotiation packets are always fully decoded. */ |
326 | 419k | hdr->partial = 0; |
327 | | |
328 | | /* Fields not used in version negotiation packets. */ |
329 | 419k | hdr->pn_len = 0; |
330 | 419k | hdr->spin_bit = 0; |
331 | 419k | hdr->key_phase = 0; |
332 | 419k | hdr->token = NULL; |
333 | 419k | hdr->token_len = 0; |
334 | 419k | memset(hdr->pn, 0, sizeof(hdr->pn)); |
335 | | |
336 | 419k | if (!PACKET_forward(pkt, hdr->len)) |
337 | 0 | return 0; |
338 | 2.89M | } else if (version != QUIC_VERSION_1) { |
339 | 92.1k | if (fail_cause != NULL) |
340 | 0 | *fail_cause |= QUIC_PKT_HDR_DECODE_BAD_VERSION; |
341 | | /* Unknown version, do not decode. */ |
342 | 92.1k | return 0; |
343 | 2.80M | } else { |
344 | 2.80M | if (l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
345 | 2.29k | return 0; |
346 | | |
347 | | /* Get long packet type and decode to QUIC_PKT_TYPE_*. */ |
348 | 2.80M | raw_type = ((b0 >> 4) & 0x3); |
349 | | |
350 | 2.80M | switch (raw_type) { |
351 | 1.22M | case 0: |
352 | 1.22M | hdr->type = QUIC_PKT_TYPE_INITIAL; |
353 | 1.22M | break; |
354 | 639 | case 1: |
355 | 639 | hdr->type = QUIC_PKT_TYPE_0RTT; |
356 | 639 | break; |
357 | 134k | case 2: |
358 | 134k | hdr->type = QUIC_PKT_TYPE_HANDSHAKE; |
359 | 134k | break; |
360 | 1.43M | case 3: |
361 | 1.43M | hdr->type = QUIC_PKT_TYPE_RETRY; |
362 | 1.43M | break; |
363 | 2.80M | } |
364 | | |
365 | 2.80M | hdr->pn_len = 0; |
366 | 2.80M | hdr->fixed = 1; |
367 | | |
368 | | /* Fields not used in long-header packets. */ |
369 | 2.80M | hdr->spin_bit = 0; |
370 | 2.80M | hdr->key_phase = 0; |
371 | | |
372 | 2.80M | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
373 | | /* Initial packet. */ |
374 | 1.22M | uint64_t token_len; |
375 | | |
376 | 1.22M | if (!PACKET_get_quic_vlint(pkt, &token_len) |
377 | 1.22M | || token_len > SIZE_MAX |
378 | 1.22M | || !PACKET_get_bytes(pkt, &hdr->token, (size_t)token_len)) |
379 | 3.60k | return 0; |
380 | | |
381 | 1.22M | hdr->token_len = (size_t)token_len; |
382 | 1.22M | if (token_len == 0) |
383 | 1.21M | hdr->token = NULL; |
384 | 1.57M | } else { |
385 | 1.57M | hdr->token = NULL; |
386 | 1.57M | hdr->token_len = 0; |
387 | 1.57M | } |
388 | | |
389 | 2.79M | if (hdr->type == QUIC_PKT_TYPE_RETRY) { |
390 | | /* Retry packet. */ |
391 | 1.43M | hdr->data = PACKET_data(pkt); |
392 | 1.43M | hdr->len = PACKET_remaining(pkt); |
393 | | |
394 | | /* Retry packets are always fully decoded. */ |
395 | 1.43M | hdr->partial = 0; |
396 | | |
397 | | /* Unused bits in Retry header. */ |
398 | 1.43M | hdr->unused = b0 & 0x0f; |
399 | | |
400 | | /* Fields not used in Retry packets. */ |
401 | 1.43M | memset(hdr->pn, 0, sizeof(hdr->pn)); |
402 | | |
403 | 1.43M | if (!PACKET_forward(pkt, hdr->len)) |
404 | 0 | return 0; |
405 | 1.43M | } else { |
406 | | /* Initial, 0-RTT or Handshake packet. */ |
407 | 1.35M | uint64_t len; |
408 | | |
409 | 1.35M | hdr->pn_len = partial ? 0 : ((b0 & 0x03) + 1); |
410 | 1.35M | hdr->reserved = partial ? 0 : ((b0 & 0x0C) >> 2); |
411 | | |
412 | 1.35M | if (!PACKET_get_quic_vlint(pkt, &len) |
413 | 1.35M | || len < sizeof(hdr->pn)) |
414 | 4.88k | return 0; |
415 | | |
416 | 1.35M | if (!nodata && len > PACKET_remaining(pkt)) |
417 | 4.06k | return 0; |
418 | | |
419 | | /* |
420 | | * Skip over the PN. If this is a partial decode, the PN length |
421 | | * field currently has header protection applied. Thus we do not |
422 | | * know the length of the PN but we are allowed to assume it is |
423 | | * 4 bytes long at this stage. |
424 | | */ |
425 | 1.35M | pn = (unsigned char *)PACKET_data(pkt); |
426 | 1.35M | memset(hdr->pn, 0, sizeof(hdr->pn)); |
427 | 1.35M | if (partial) { |
428 | 734k | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
429 | 0 | return 0; |
430 | | |
431 | 734k | hdr->len = (size_t)(len - sizeof(hdr->pn)); |
432 | 734k | } else { |
433 | 616k | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
434 | 0 | return 0; |
435 | | |
436 | 616k | hdr->len = (size_t)(len - hdr->pn_len); |
437 | 616k | } |
438 | | |
439 | 1.35M | if (nodata) { |
440 | 0 | hdr->data = NULL; |
441 | 1.35M | } else { |
442 | 1.35M | hdr->data = PACKET_data(pkt); |
443 | | |
444 | | /* Skip over packet body. */ |
445 | 1.35M | if (!PACKET_forward(pkt, hdr->len)) |
446 | 0 | return 0; |
447 | 1.35M | } |
448 | 1.35M | } |
449 | 2.79M | } |
450 | 3.32M | } |
451 | | |
452 | 3.33M | if (ptrs != NULL) { |
453 | 2.67M | ptrs->raw_pn = pn; |
454 | 2.67M | if (pn != NULL) { |
455 | 815k | ptrs->raw_sample = pn + 4; |
456 | 815k | ptrs->raw_sample_len = PACKET_end(pkt) - ptrs->raw_sample; |
457 | 815k | } |
458 | 2.67M | } |
459 | | |
460 | | /* |
461 | | * Good decode, clear the generic DECODE_ERR flag |
462 | | */ |
463 | 3.33M | if (fail_cause != NULL) |
464 | 0 | *fail_cause &= ~QUIC_PKT_HDR_DECODE_DECODE_ERR; |
465 | | |
466 | 3.33M | return 1; |
467 | 3.63M | } |
468 | | |
469 | | int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, |
470 | | size_t short_conn_id_len, |
471 | | const QUIC_PKT_HDR *hdr, |
472 | | QUIC_PKT_HDR_PTRS *ptrs) |
473 | 1.44M | { |
474 | 1.44M | unsigned char b0; |
475 | 1.44M | size_t off_start, off_sample, off_pn; |
476 | 1.44M | unsigned char *start = WPACKET_get_curr(pkt); |
477 | | |
478 | 1.44M | if (!WPACKET_get_total_written(pkt, &off_start)) |
479 | 0 | return 0; |
480 | | |
481 | 1.44M | if (ptrs != NULL) { |
482 | | /* ptrs would not be stable on non-static WPACKET */ |
483 | 1.20M | if (!ossl_assert(pkt->staticbuf != NULL)) |
484 | 0 | return 0; |
485 | 1.20M | ptrs->raw_start = NULL; |
486 | 1.20M | ptrs->raw_sample = NULL; |
487 | 1.20M | ptrs->raw_sample_len = 0; |
488 | 1.20M | ptrs->raw_pn = 0; |
489 | 1.20M | } |
490 | | |
491 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
492 | 1.44M | if (hdr->partial |
493 | 1.44M | || (hdr->type == QUIC_PKT_TYPE_1RTT |
494 | 227k | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
495 | 0 | return 0; |
496 | | |
497 | 1.44M | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
498 | | /* Short header. */ |
499 | | |
500 | | /* |
501 | | * Cannot serialize a header whose DCID length is wrong, or with an |
502 | | * invalid PN length. |
503 | | */ |
504 | 227k | if (hdr->dst_conn_id.id_len != short_conn_id_len |
505 | 227k | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
506 | 227k | || hdr->pn_len < 1 || hdr->pn_len > 4) |
507 | 0 | return 0; |
508 | | |
509 | 227k | b0 = (hdr->spin_bit << 5) |
510 | 227k | | (hdr->key_phase << 2) |
511 | 227k | | (hdr->pn_len - 1) |
512 | 227k | | (hdr->reserved << 3) |
513 | 227k | | 0x40; /* fixed bit */ |
514 | | |
515 | 227k | if (!WPACKET_put_bytes_u8(pkt, b0) |
516 | 227k | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, short_conn_id_len) |
517 | 227k | || !WPACKET_get_total_written(pkt, &off_pn) |
518 | 227k | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
519 | 0 | return 0; |
520 | 1.21M | } else { |
521 | | /* Long header. */ |
522 | 1.21M | unsigned int raw_type; |
523 | | |
524 | 1.21M | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
525 | 1.21M | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
526 | 0 | return 0; |
527 | | |
528 | 1.21M | if (ossl_quic_pkt_type_has_pn(hdr->type) |
529 | 977k | && (hdr->pn_len < 1 || hdr->pn_len > 4)) |
530 | 0 | return 0; |
531 | | |
532 | 1.21M | switch (hdr->type) { |
533 | 0 | case QUIC_PKT_TYPE_VERSION_NEG: |
534 | 0 | if (hdr->version != 0) |
535 | 0 | return 0; |
536 | | |
537 | | /* Version negotiation packets use zero for the type bits */ |
538 | 0 | raw_type = 0; |
539 | 0 | break; |
540 | | |
541 | 844k | case QUIC_PKT_TYPE_INITIAL: |
542 | 844k | raw_type = 0; |
543 | 844k | break; |
544 | 0 | case QUIC_PKT_TYPE_0RTT: |
545 | 0 | raw_type = 1; |
546 | 0 | break; |
547 | 133k | case QUIC_PKT_TYPE_HANDSHAKE: |
548 | 133k | raw_type = 2; |
549 | 133k | break; |
550 | 241k | case QUIC_PKT_TYPE_RETRY: |
551 | 241k | raw_type = 3; |
552 | 241k | break; |
553 | 0 | default: |
554 | 0 | return 0; |
555 | 1.21M | } |
556 | | |
557 | 1.21M | b0 = (raw_type << 4) | 0x80; /* long */ |
558 | 1.21M | if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG || hdr->fixed) |
559 | 1.21M | b0 |= 0x40; /* fixed */ |
560 | 1.21M | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
561 | 977k | b0 |= hdr->pn_len - 1; |
562 | 977k | b0 |= (hdr->reserved << 2); |
563 | 977k | } |
564 | 1.21M | if (hdr->type == QUIC_PKT_TYPE_RETRY) |
565 | 241k | b0 |= hdr->unused; |
566 | | |
567 | 1.21M | if (!WPACKET_put_bytes_u8(pkt, b0) |
568 | 1.21M | || !WPACKET_put_bytes_u32(pkt, hdr->version) |
569 | 1.21M | || !WPACKET_put_bytes_u8(pkt, hdr->dst_conn_id.id_len) |
570 | 1.21M | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, |
571 | 1.21M | hdr->dst_conn_id.id_len) |
572 | 1.21M | || !WPACKET_put_bytes_u8(pkt, hdr->src_conn_id.id_len) |
573 | 1.21M | || !WPACKET_memcpy(pkt, hdr->src_conn_id.id, |
574 | 1.21M | hdr->src_conn_id.id_len)) |
575 | 0 | return 0; |
576 | | |
577 | 1.21M | if (hdr->type == QUIC_PKT_TYPE_VERSION_NEG) { |
578 | 0 | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
579 | 0 | return 0; |
580 | | |
581 | 0 | return 1; |
582 | 0 | } |
583 | | |
584 | 1.21M | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
585 | 844k | if (!WPACKET_quic_write_vlint(pkt, hdr->token_len) |
586 | 844k | || !WPACKET_memcpy(pkt, hdr->token, hdr->token_len)) |
587 | 0 | return 0; |
588 | 844k | } |
589 | | |
590 | 1.21M | if (hdr->type == QUIC_PKT_TYPE_RETRY) { |
591 | 241k | if (!WPACKET_memcpy(pkt, hdr->token, hdr->token_len)) |
592 | 0 | return 0; |
593 | 241k | return 1; |
594 | 241k | } |
595 | | |
596 | 977k | if (!WPACKET_quic_write_vlint(pkt, hdr->len + hdr->pn_len) |
597 | 977k | || !WPACKET_get_total_written(pkt, &off_pn) |
598 | 977k | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
599 | 0 | return 0; |
600 | 977k | } |
601 | | |
602 | 1.20M | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
603 | 0 | return 0; |
604 | | |
605 | 1.20M | off_sample = off_pn + 4; |
606 | | |
607 | 1.20M | if (ptrs != NULL) { |
608 | 1.20M | ptrs->raw_start = start; |
609 | 1.20M | ptrs->raw_sample = start + (off_sample - off_start); |
610 | 1.20M | ptrs->raw_sample_len |
611 | 1.20M | = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample; |
612 | 1.20M | ptrs->raw_pn = start + (off_pn - off_start); |
613 | 1.20M | } |
614 | | |
615 | 1.20M | return 1; |
616 | 1.20M | } |
617 | | |
618 | | int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, |
619 | | const QUIC_PKT_HDR *hdr) |
620 | 52.8M | { |
621 | 52.8M | size_t len = 0, enclen; |
622 | | |
623 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
624 | 52.8M | if (hdr->partial |
625 | 52.8M | || (hdr->type == QUIC_PKT_TYPE_1RTT |
626 | 13.0M | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
627 | 0 | return 0; |
628 | | |
629 | 52.8M | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
630 | | /* Short header. */ |
631 | | |
632 | | /* |
633 | | * Cannot serialize a header whose DCID length is wrong, or with an |
634 | | * invalid PN length. |
635 | | */ |
636 | 13.0M | if (hdr->dst_conn_id.id_len != short_conn_id_len |
637 | 13.0M | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
638 | 13.0M | || hdr->pn_len < 1 || hdr->pn_len > 4) |
639 | 0 | return 0; |
640 | | |
641 | 13.0M | return 1 + short_conn_id_len + hdr->pn_len; |
642 | 39.7M | } else { |
643 | | /* Long header. */ |
644 | 39.7M | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
645 | 39.7M | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
646 | 0 | return 0; |
647 | | |
648 | 39.7M | len += 1 /* Initial byte */ + 4 /* Version */ |
649 | 39.7M | + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */ |
650 | 39.7M | + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */ |
651 | 39.7M | ; |
652 | | |
653 | 39.7M | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
654 | 39.7M | if (hdr->pn_len < 1 || hdr->pn_len > 4) |
655 | 0 | return 0; |
656 | | |
657 | 39.7M | len += hdr->pn_len; |
658 | 39.7M | } |
659 | | |
660 | 39.7M | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
661 | 37.2M | enclen = ossl_quic_vlint_encode_len(hdr->token_len); |
662 | 37.2M | if (!enclen) |
663 | 0 | return 0; |
664 | | |
665 | 37.2M | len += enclen + hdr->token_len; |
666 | 37.2M | } |
667 | | |
668 | 39.7M | if (!ossl_quic_pkt_type_must_be_last(hdr->type)) { |
669 | 39.7M | enclen = ossl_quic_vlint_encode_len(hdr->len + hdr->pn_len); |
670 | 39.7M | if (!enclen) |
671 | 0 | return 0; |
672 | | |
673 | 39.7M | len += enclen; |
674 | 39.7M | } |
675 | | |
676 | 39.7M | return len; |
677 | 39.7M | } |
678 | 52.8M | } |
679 | | |
680 | | int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, |
681 | | size_t buf_len, |
682 | | size_t short_conn_id_len, |
683 | | QUIC_CONN_ID *dst_conn_id) |
684 | 11.7M | { |
685 | 11.7M | unsigned char b0; |
686 | 11.7M | size_t blen; |
687 | | |
688 | 11.7M | if (buf_len < QUIC_MIN_VALID_PKT_LEN |
689 | 5.59M | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
690 | 6.15M | return 0; |
691 | | |
692 | 5.59M | b0 = buf[0]; |
693 | 5.59M | if ((b0 & 0x80) != 0) { |
694 | | /* |
695 | | * Long header. We need 6 bytes (initial byte, 4 version bytes, DCID |
696 | | * length byte to begin with). This is covered by the buf_len test |
697 | | * above. |
698 | | */ |
699 | | |
700 | | /* |
701 | | * If the version field is non-zero (meaning that this is not a Version |
702 | | * Negotiation packet), the fixed bit must be set. |
703 | | */ |
704 | 5.00M | if ((buf[1] || buf[2] || buf[3] || buf[4]) && (b0 & 0x40) == 0) |
705 | 8.47k | return 0; |
706 | | |
707 | 4.99M | blen = (size_t)buf[5]; /* DCID Length */ |
708 | 4.99M | if (blen > QUIC_MAX_CONN_ID_LEN |
709 | 4.45M | || buf_len < QUIC_MIN_VALID_PKT_LEN + blen) |
710 | 542k | return 0; |
711 | | |
712 | 4.45M | dst_conn_id->id_len = (unsigned char)blen; |
713 | 4.45M | memcpy(dst_conn_id->id, buf + 6, blen); |
714 | 4.45M | return 1; |
715 | 4.99M | } else { |
716 | | /* Short header. */ |
717 | 588k | if ((b0 & 0x40) == 0) |
718 | | /* Fixed bit not set, not a valid QUIC packet header. */ |
719 | 487k | return 0; |
720 | | |
721 | 100k | if (buf_len < QUIC_MIN_VALID_PKT_LEN_CRYPTO + short_conn_id_len) |
722 | 1.04k | return 0; |
723 | | |
724 | 99.7k | dst_conn_id->id_len = (unsigned char)short_conn_id_len; |
725 | 99.7k | memcpy(dst_conn_id->id, buf + 1, short_conn_id_len); |
726 | 99.7k | return 1; |
727 | 100k | } |
728 | 5.59M | } |
729 | | |
730 | | int ossl_quic_wire_decode_pkt_hdr_pn(const unsigned char *enc_pn, |
731 | | size_t enc_pn_len, |
732 | | QUIC_PN largest_pn, |
733 | | QUIC_PN *res_pn) |
734 | 1.19M | { |
735 | 1.19M | int64_t expected_pn, truncated_pn, candidate_pn, pn_win, pn_hwin, pn_mask; |
736 | | |
737 | 1.19M | switch (enc_pn_len) { |
738 | 40.8k | case 1: |
739 | 40.8k | truncated_pn = enc_pn[0]; |
740 | 40.8k | break; |
741 | 2.36k | case 2: |
742 | 2.36k | truncated_pn = ((QUIC_PN)enc_pn[0] << 8) |
743 | 2.36k | | (QUIC_PN)enc_pn[1]; |
744 | 2.36k | break; |
745 | 397k | case 3: |
746 | 397k | truncated_pn = ((QUIC_PN)enc_pn[0] << 16) |
747 | 397k | | ((QUIC_PN)enc_pn[1] << 8) |
748 | 397k | | (QUIC_PN)enc_pn[2]; |
749 | 397k | break; |
750 | 754k | case 4: |
751 | 754k | truncated_pn = ((QUIC_PN)enc_pn[0] << 24) |
752 | 754k | | ((QUIC_PN)enc_pn[1] << 16) |
753 | 754k | | ((QUIC_PN)enc_pn[2] << 8) |
754 | 754k | | (QUIC_PN)enc_pn[3]; |
755 | 754k | break; |
756 | 0 | default: |
757 | 0 | return 0; |
758 | 1.19M | } |
759 | | |
760 | | /* Implemented as per RFC 9000 Section A.3. */ |
761 | 1.19M | expected_pn = largest_pn + 1; |
762 | 1.19M | pn_win = ((int64_t)1) << (enc_pn_len * 8); |
763 | 1.19M | pn_hwin = pn_win / 2; |
764 | 1.19M | pn_mask = pn_win - 1; |
765 | 1.19M | candidate_pn = (expected_pn & ~pn_mask) | truncated_pn; |
766 | 1.19M | if (candidate_pn <= expected_pn - pn_hwin |
767 | 170k | && candidate_pn < (((int64_t)1) << 62) - pn_win) |
768 | 170k | *res_pn = candidate_pn + pn_win; |
769 | 1.02M | else if (candidate_pn > expected_pn + pn_hwin |
770 | 76.5k | && candidate_pn >= pn_win) |
771 | 66.5k | *res_pn = candidate_pn - pn_win; |
772 | 958k | else |
773 | 958k | *res_pn = candidate_pn; |
774 | 1.19M | return 1; |
775 | 1.19M | } |
776 | | |
777 | | /* From RFC 9000 Section A.2. Simplified implementation. */ |
778 | | int ossl_quic_wire_determine_pn_len(QUIC_PN pn, |
779 | | QUIC_PN largest_acked) |
780 | 0 | { |
781 | 0 | uint64_t num_unacked |
782 | 0 | = (largest_acked == QUIC_PN_INVALID) ? pn + 1 : pn - largest_acked; |
783 | | |
784 | | /* |
785 | | * num_unacked \in [ 0, 2** 7] -> 1 byte |
786 | | * num_unacked \in (2** 7, 2**15] -> 2 bytes |
787 | | * num_unacked \in (2**15, 2**23] -> 3 bytes |
788 | | * num_unacked \in (2**23, ] -> 4 bytes |
789 | | */ |
790 | |
|
791 | 0 | if (num_unacked <= (1U << 7)) |
792 | 0 | return 1; |
793 | 0 | if (num_unacked <= (1U << 15)) |
794 | 0 | return 2; |
795 | 0 | if (num_unacked <= (1U << 23)) |
796 | 0 | return 3; |
797 | 0 | return 4; |
798 | 0 | } |
799 | | |
800 | | int ossl_quic_wire_encode_pkt_hdr_pn(QUIC_PN pn, |
801 | | unsigned char *enc_pn, |
802 | | size_t enc_pn_len) |
803 | 2.07M | { |
804 | 2.07M | switch (enc_pn_len) { |
805 | 0 | case 1: |
806 | 0 | enc_pn[0] = (unsigned char)pn; |
807 | 0 | break; |
808 | 0 | case 2: |
809 | 0 | enc_pn[1] = (unsigned char)pn; |
810 | 0 | enc_pn[0] = (unsigned char)(pn >> 8); |
811 | 0 | break; |
812 | 0 | case 3: |
813 | 0 | enc_pn[2] = (unsigned char)pn; |
814 | 0 | enc_pn[1] = (unsigned char)(pn >> 8); |
815 | 0 | enc_pn[0] = (unsigned char)(pn >> 16); |
816 | 0 | break; |
817 | 2.07M | case 4: |
818 | 2.07M | enc_pn[3] = (unsigned char)pn; |
819 | 2.07M | enc_pn[2] = (unsigned char)(pn >> 8); |
820 | 2.07M | enc_pn[1] = (unsigned char)(pn >> 16); |
821 | 2.07M | enc_pn[0] = (unsigned char)(pn >> 24); |
822 | 2.07M | break; |
823 | 0 | default: |
824 | 0 | return 0; |
825 | 2.07M | } |
826 | | |
827 | 2.07M | return 1; |
828 | 2.07M | } |
829 | | |
830 | | int ossl_quic_validate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
831 | | const char *propq, |
832 | | const QUIC_PKT_HDR *hdr, |
833 | | const QUIC_CONN_ID *client_initial_dcid) |
834 | 332k | { |
835 | 332k | unsigned char expected_tag[QUIC_RETRY_INTEGRITY_TAG_LEN]; |
836 | 332k | const unsigned char *actual_tag; |
837 | | |
838 | 332k | if (hdr == NULL || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN) |
839 | 0 | return 0; |
840 | | |
841 | 332k | if (!ossl_quic_calculate_retry_integrity_tag(libctx, propq, |
842 | 332k | hdr, client_initial_dcid, |
843 | 332k | expected_tag)) |
844 | 0 | return 0; |
845 | | |
846 | 332k | actual_tag = hdr->data + hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN; |
847 | | |
848 | 332k | return !CRYPTO_memcmp(expected_tag, actual_tag, |
849 | 332k | QUIC_RETRY_INTEGRITY_TAG_LEN); |
850 | 332k | } |
851 | | |
852 | | /* RFC 9001 s. 5.8 */ |
853 | | static const unsigned char retry_integrity_key[] = { |
854 | | 0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, |
855 | | 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e |
856 | | }; |
857 | | |
858 | | static const unsigned char retry_integrity_nonce[] = { |
859 | | 0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, |
860 | | 0x23, 0x98, 0x25, 0xbb |
861 | | }; |
862 | | |
863 | | int ossl_quic_calculate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
864 | | const char *propq, |
865 | | const QUIC_PKT_HDR *hdr, |
866 | | const QUIC_CONN_ID *client_initial_dcid, |
867 | | unsigned char *tag) |
868 | 332k | { |
869 | 332k | EVP_CIPHER *cipher = NULL; |
870 | 332k | EVP_CIPHER_CTX *cctx = NULL; |
871 | 332k | int ok = 0, l = 0, l2 = 0, wpkt_valid = 0; |
872 | 332k | WPACKET wpkt; |
873 | | /* Worst case length of the Retry Psuedo-Packet header is 68 bytes. */ |
874 | 332k | unsigned char buf[128]; |
875 | 332k | QUIC_PKT_HDR hdr2; |
876 | 332k | size_t hdr_enc_len = 0; |
877 | | |
878 | 332k | if (hdr->type != QUIC_PKT_TYPE_RETRY || hdr->version == 0 |
879 | 332k | || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN |
880 | 332k | || hdr->data == NULL |
881 | 332k | || client_initial_dcid == NULL || tag == NULL |
882 | 332k | || client_initial_dcid->id_len > QUIC_MAX_CONN_ID_LEN) { |
883 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
884 | 0 | goto err; |
885 | 0 | } |
886 | | |
887 | | /* |
888 | | * Do not reserve packet body in WPACKET. Retry packet header |
889 | | * does not contain a Length field so this does not affect |
890 | | * the serialized packet header. |
891 | | */ |
892 | 332k | hdr2 = *hdr; |
893 | 332k | hdr2.len = 0; |
894 | | |
895 | | /* Assemble retry psuedo-packet. */ |
896 | 332k | if (!WPACKET_init_static_len(&wpkt, buf, sizeof(buf), 0)) { |
897 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
898 | 0 | goto err; |
899 | 0 | } |
900 | | |
901 | 332k | wpkt_valid = 1; |
902 | | |
903 | | /* Prepend original DCID to the packet. */ |
904 | 332k | if (!WPACKET_put_bytes_u8(&wpkt, client_initial_dcid->id_len) |
905 | 332k | || !WPACKET_memcpy(&wpkt, client_initial_dcid->id, |
906 | 332k | client_initial_dcid->id_len)) { |
907 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
908 | 0 | goto err; |
909 | 0 | } |
910 | | |
911 | | /* Encode main retry header. */ |
912 | 332k | if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, hdr2.dst_conn_id.id_len, |
913 | 332k | &hdr2, NULL)) |
914 | 0 | goto err; |
915 | | |
916 | 332k | if (!WPACKET_get_total_written(&wpkt, &hdr_enc_len)) { |
917 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
918 | 0 | goto err; |
919 | 0 | } |
920 | | |
921 | | /* Create and initialise cipher context. */ |
922 | | /* TODO(QUIC FUTURE): Cipher fetch caching. */ |
923 | 332k | if ((cipher = EVP_CIPHER_fetch(libctx, "AES-128-GCM", propq)) == NULL) { |
924 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
925 | 0 | goto err; |
926 | 0 | } |
927 | | |
928 | 332k | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
929 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
930 | 0 | goto err; |
931 | 0 | } |
932 | | |
933 | 332k | if (!EVP_CipherInit_ex(cctx, cipher, NULL, |
934 | 332k | retry_integrity_key, retry_integrity_nonce, /*enc=*/1)) { |
935 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
936 | 0 | goto err; |
937 | 0 | } |
938 | | |
939 | | /* Feed packet header as AAD data. */ |
940 | 332k | if (EVP_CipherUpdate(cctx, NULL, &l, buf, hdr_enc_len) != 1) { |
941 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
942 | 0 | goto err; |
943 | 0 | } |
944 | | |
945 | | /* Feed packet body as AAD data. */ |
946 | 332k | if (EVP_CipherUpdate(cctx, NULL, &l, hdr->data, |
947 | 332k | hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN) |
948 | 332k | != 1) { |
949 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
950 | 0 | goto err; |
951 | 0 | } |
952 | | |
953 | | /* Finalise and get tag. */ |
954 | 332k | if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { |
955 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
956 | 0 | goto err; |
957 | 0 | } |
958 | | |
959 | 332k | if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, |
960 | 332k | QUIC_RETRY_INTEGRITY_TAG_LEN, |
961 | 332k | tag) |
962 | 332k | != 1) { |
963 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
964 | 0 | goto err; |
965 | 0 | } |
966 | | |
967 | 332k | ok = 1; |
968 | 332k | err: |
969 | 332k | EVP_CIPHER_free(cipher); |
970 | 332k | EVP_CIPHER_CTX_free(cctx); |
971 | 332k | if (wpkt_valid) |
972 | 332k | WPACKET_finish(&wpkt); |
973 | | |
974 | 332k | return ok; |
975 | 332k | } |