Etusivu Tutki Apua
Kirjaudu sisään
OWEALs
/
openssl
peilaus alkaen git://git.openssl.org/openssl.git
2
0
Fork 0
Tiedostot Ongelmat 1 Wiki
Puu: 036dc4fc1a
Haarat Tagit
openssl
/
ssl
/
quic
/
quic_wire_pkt.c

quic_wire_pkt.c 31 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945 
  1. /*
    2. 

  2.  * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    5. 

  5.  * this file except in compliance with the License.  You can obtain a copy
    6. 

  6.  * in the file LICENSE in the source distribution or at
    7. 

  7.  * https://www.openssl.org/source/license.html
    8. 

  8.  */
    9. 

  9. 

  10. #include <openssl/err.h>
    11. 

  11. #include "internal/common.h"
    12. 

  12. #include "internal/quic_wire_pkt.h"
    13. 

  13. 

  14. int ossl_quic_hdr_protector_init(QUIC_HDR_PROTECTOR *hpr,
    15. 

  15.                                  OSSL_LIB_CTX *libctx,
    16. 

  16.                                  const char *propq,
    17. 

  17.                                  uint32_t cipher_id,
    18. 

  18.                                  const unsigned char *quic_hp_key,
    19. 

  19.                                  size_t quic_hp_key_len)
    20. 

  20. {
    21. 

  21.     const char *cipher_name = NULL;
    22. 

  22. 

  23.     switch (cipher_id) {
    24. 

  24.         case QUIC_HDR_PROT_CIPHER_AES_128:
    25. 

  25.             cipher_name = "AES-128-ECB";
    26. 

  26.             break;
    27. 

  27.         case QUIC_HDR_PROT_CIPHER_AES_256:
    28. 

  28.             cipher_name = "AES-256-ECB";
    29. 

  29.             break;
    30. 

  30.         case QUIC_HDR_PROT_CIPHER_CHACHA:
    31. 

  31.             cipher_name = "ChaCha20";
    32. 

  32.             break;
    33. 

  33.         default:
    34. 

  34.             ERR_raise(ERR_LIB_SSL, ERR_R_UNSUPPORTED);
    35. 

  35.             return 0;
    36. 

  36.     }
    37. 

  37. 

  38.     hpr->cipher_ctx = EVP_CIPHER_CTX_new();
    39. 

  39.     if (hpr->cipher_ctx == NULL) {
    40. 

  40.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    41. 

  41.         return 0;
    42. 

  42.     }
    43. 

  43. 

  44.     hpr->cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq);
    45. 

  45.     if (hpr->cipher == NULL
    46. 

  46.         || quic_hp_key_len != (size_t)EVP_CIPHER_get_key_length(hpr->cipher)) {
    47. 

  47.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    48. 

  48.         goto err;
    49. 

  49.     }
    50. 

  50. 

  51.     if (!EVP_CipherInit_ex(hpr->cipher_ctx, hpr->cipher, NULL,
    52. 

  52.                            quic_hp_key, NULL, 1)) {
    53. 

  53.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    54. 

  54.         goto err;
    55. 

  55.     }
    56. 

  56. 

  57.     hpr->libctx     = libctx;
    58. 

  58.     hpr->propq      = propq;
    59. 

  59.     hpr->cipher_id  = cipher_id;
    60. 

  60.     return 1;
    61. 

  61. 

  62. err:
    63. 

  63.     ossl_quic_hdr_protector_cleanup(hpr);
    64. 

  64.     return 0;
    65. 

  65. }
    66. 

  66. 

  67. void ossl_quic_hdr_protector_cleanup(QUIC_HDR_PROTECTOR *hpr)
    68. 

  68. {
    69. 

  69.     EVP_CIPHER_CTX_free(hpr->cipher_ctx);
    70. 

  70.     hpr->cipher_ctx = NULL;
    71. 

  71. 

  72.     EVP_CIPHER_free(hpr->cipher);
    73. 

  73.     hpr->cipher = NULL;
    74. 

  74. }
    75. 

  75. 

  76. static int hdr_generate_mask(QUIC_HDR_PROTECTOR *hpr,
    77. 

  77.                              const unsigned char *sample, size_t sample_len,
    78. 

  78.                              unsigned char *mask)
    79. 

  79. {
    80. 

  80.     int l = 0;
    81. 

  81.     unsigned char dst[16];
    82. 

  82.     static const unsigned char zeroes[5] = {0};
    83. 

  83.     size_t i;
    84. 

  84. 

  85.     if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_128
    86. 

  86.         || hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_256) {
    87. 

  87.         if (sample_len < 16) {
    88. 

  88.             ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
    89. 

  89.             return 0;
    90. 

  90.         }
    91. 

  91. 

  92.         if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, NULL, 1)
    93. 

  93.             || !EVP_CipherUpdate(hpr->cipher_ctx, dst, &l, sample, 16)) {
    94. 

  94.             ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    95. 

  95.             return 0;
    96. 

  96.         }
    97. 

  97. 

  98.         for (i = 0; i < 5; ++i)
    99. 

  99.             mask[i] = dst[i];
    100. 

  100.     } else if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_CHACHA) {
    101. 

  101.         if (sample_len < 16) {
    102. 

  102.             ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
    103. 

  103.             return 0;
    104. 

  104.         }
    105. 

  105. 

  106.         if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, sample, 1)
    107. 

  107.             || !EVP_CipherUpdate(hpr->cipher_ctx, mask, &l,
    108. 

  108.                                  zeroes, sizeof(zeroes))) {
    109. 

  109.             ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    110. 

  110.             return 0;
    111. 

  111.         }
    112. 

  112.     } else {
    113. 

  113.         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
    114. 

  114.         assert(0);
    115. 

  115.         return 0;
    116. 

  116.     }
    117. 

  117. 

  118. #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
    119. 

  119.     /* No matter what we did above we use the same mask in fuzzing mode */
    120. 

  120.     memset(mask, 0, 5);
    121. 

  121. #endif
    122. 

  122. 

  123.     return 1;
    124. 

  124. }
    125. 

  125. 

  126. int ossl_quic_hdr_protector_decrypt(QUIC_HDR_PROTECTOR *hpr,
    127. 

  127.                                     QUIC_PKT_HDR_PTRS *ptrs)
    128. 

  128. {
    129. 

  129.     return ossl_quic_hdr_protector_decrypt_fields(hpr,
    130. 

  130.                                                   ptrs->raw_sample,
    131. 

  131.                                                   ptrs->raw_sample_len,
    132. 

  132.                                                   ptrs->raw_start,
    133. 

  133.                                                   ptrs->raw_pn);
    134. 

  134. }
    135. 

  135. 

  136. int ossl_quic_hdr_protector_decrypt_fields(QUIC_HDR_PROTECTOR *hpr,
    137. 

  137.                                            const unsigned char *sample,
    138. 

  138.                                            size_t sample_len,
    139. 

  139.                                            unsigned char *first_byte,
    140. 

  140.                                            unsigned char *pn_bytes)
    141. 

  141. {
    142. 

  142.     unsigned char mask[5], pn_len, i;
    143. 

  143. 

  144.     if (!hdr_generate_mask(hpr, sample, sample_len, mask))
    145. 

  145.         return 0;
    146. 

  146. 

  147.     *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f);
    148. 

  148.     pn_len = (*first_byte & 0x3) + 1;
    149. 

  149. 

  150.     for (i = 0; i < pn_len; ++i)
    151. 

  151.         pn_bytes[i] ^= mask[i + 1];
    152. 

  152. 

  153.     return 1;
    154. 

  154. }
    155. 

  155. 

  156. int ossl_quic_hdr_protector_encrypt(QUIC_HDR_PROTECTOR *hpr,
    157. 

  157.                                     QUIC_PKT_HDR_PTRS *ptrs)
    158. 

  158. {
    159. 

  159.     return ossl_quic_hdr_protector_encrypt_fields(hpr,
    160. 

  160.                                                   ptrs->raw_sample,
    161. 

  161.                                                   ptrs->raw_sample_len,
    162. 

  162.                                                   ptrs->raw_start,
    163. 

  163.                                                   ptrs->raw_pn);
    164. 

  164. }
    165. 

  165. 

  166. int ossl_quic_hdr_protector_encrypt_fields(QUIC_HDR_PROTECTOR *hpr,
    167. 

  167.                                            const unsigned char *sample,
    168. 

  168.                                            size_t sample_len,
    169. 

  169.                                            unsigned char *first_byte,
    170. 

  170.                                            unsigned char *pn_bytes)
    171. 

  171. {
    172. 

  172.     unsigned char mask[5], pn_len, i;
    173. 

  173. 

  174.     if (!hdr_generate_mask(hpr, sample, sample_len, mask))
    175. 

  175.         return 0;
    176. 

  176. 

  177.     pn_len = (*first_byte & 0x3) + 1;
    178. 

  178.     for (i = 0; i < pn_len; ++i)
    179. 

  179.         pn_bytes[i] ^= mask[i + 1];
    180. 

  180. 

  181.     *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f);
    182. 

  182.     return 1;
    183. 

  183. }
    184. 

  184. 

  185. int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt,
    186. 

  186.                                   size_t short_conn_id_len,
    187. 

  187.                                   int partial,
    188. 

  188.                                   int nodata,
    189. 

  189.                                   QUIC_PKT_HDR *hdr,
    190. 

  190.                                   QUIC_PKT_HDR_PTRS *ptrs)
    191. 

  191. {
    192. 

  192.     unsigned int b0;
    193. 

  193.     unsigned char *pn = NULL;
    194. 

  194.     size_t l = PACKET_remaining(pkt);
    195. 

  195. 

  196.     if (ptrs != NULL) {
    197. 

  197.         ptrs->raw_start         = (unsigned char *)PACKET_data(pkt);
    198. 

  198.         ptrs->raw_sample        = NULL;
    199. 

  199.         ptrs->raw_sample_len    = 0;
    200. 

  200.         ptrs->raw_pn            = NULL;
    201. 

  201.     }
    202. 

  202. 

  203.     if (l < QUIC_MIN_VALID_PKT_LEN
    204. 

  204.         || !PACKET_get_1(pkt, &b0))
    205. 

  205.         return 0;
    206. 

  206. 

  207.     hdr->partial    = partial;
    208. 

  208.     hdr->unused     = 0;
    209. 

  209.     hdr->reserved   = 0;
    210. 

  210. 

  211.     if ((b0 & 0x80) == 0) {
    212. 

  212.         /* Short header. */
    213. 

  213.         if (short_conn_id_len > QUIC_MAX_CONN_ID_LEN)
    214. 

  214.             return 0;
    215. 

  215. 

  216.         if ((b0 & 0x40) == 0 /* fixed bit not set? */
    217. 

  217.             || l < QUIC_MIN_VALID_PKT_LEN_CRYPTO)
    218. 

  218.             return 0;
    219. 

  219. 

  220.         hdr->type       = QUIC_PKT_TYPE_1RTT;
    221. 

  221.         hdr->fixed      = 1;
    222. 

  222.         hdr->spin_bit   = (b0 & 0x20) != 0;
    223. 

  223.         if (partial) {
    224. 

  224.             hdr->key_phase  = 0; /* protected, zero for now */
    225. 

  225.             hdr->pn_len     = 0; /* protected, zero for now */
    226. 

  226.             hdr->reserved   = 0; /* protected, zero for now */
    227. 

  227.         } else {
    228. 

  228.             hdr->key_phase  = (b0 & 0x04) != 0;
    229. 

  229.             hdr->pn_len     = (b0 & 0x03) + 1;
    230. 

  230.             hdr->reserved   = (b0 & 0x18) >> 3;
    231. 

  231.         }
    232. 

  232. 

  233.         /* Copy destination connection ID field to header structure. */
    234. 

  234.         if (!PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, short_conn_id_len))
    235. 

  235.             return 0;
    236. 

  236. 

  237.         hdr->dst_conn_id.id_len = (unsigned char)short_conn_id_len;
    238. 

  238. 

  239.         /*
    240. 

  240.          * Skip over the PN. If this is a partial decode, the PN length field
    241. 

  241.          * currently has header protection applied. Thus we do not know the
    242. 

  242.          * length of the PN but we are allowed to assume it is 4 bytes long at
    243. 

  243.          * this stage.
    244. 

  244.          */
    245. 

  245.         memset(hdr->pn, 0, sizeof(hdr->pn));
    246. 

  246.         pn = (unsigned char *)PACKET_data(pkt);
    247. 

  247.         if (partial) {
    248. 

  248.             if (!PACKET_forward(pkt, sizeof(hdr->pn)))
    249. 

  249.                 return 0;
    250. 

  250.         } else {
    251. 

  251.             if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len))
    252. 

  252.                 return 0;
    253. 

  253.         }
    254. 

  254. 

  255.         /* Fields not used in short-header packets. */
    256. 

  256.         hdr->version            = 0;
    257. 

  257.         hdr->src_conn_id.id_len = 0;
    258. 

  258.         hdr->token              = NULL;
    259. 

  259.         hdr->token_len          = 0;
    260. 

  260. 

  261.         /*
    262. 

  262.          * Short-header packets always come last in a datagram, the length
    263. 

  263.          * is the remainder of the buffer.
    264. 

  264.          */
    265. 

  265.         hdr->len                = PACKET_remaining(pkt);
    266. 

  266.         hdr->data               = PACKET_data(pkt);
    267. 

  267. 

  268.         /*
    269. 

  269.          * Skip over payload. Since this is a short header packet, which cannot
    270. 

  270.          * be followed by any other kind of packet, this advances us to the end
    271. 

  271.          * of the datagram.
    272. 

  272.          */
    273. 

  273.         if (!PACKET_forward(pkt, hdr->len))
    274. 

  274.             return 0;
    275. 

  275.     } else {
    276. 

  276.         /* Long header. */
    277. 

  277.         unsigned long version;
    278. 

  278.         unsigned int dst_conn_id_len, src_conn_id_len, raw_type;
    279. 

  279. 

  280.         if (!PACKET_get_net_4(pkt, &version))
    281. 

  281.             return 0;
    282. 

  282. 

  283.         /*
    284. 

  284.          * All QUIC packets must have the fixed bit set, except exceptionally
    285. 

  285.          * for Version Negotiation packets.
    286. 

  286.          */
    287. 

  287.         if (version != 0 && (b0 & 0x40) == 0)
    288. 

  288.             return 0;
    289. 

  289. 

  290.         if (!PACKET_get_1(pkt, &dst_conn_id_len)
    291. 

  291.             || dst_conn_id_len > QUIC_MAX_CONN_ID_LEN
    292. 

  292.             || !PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, dst_conn_id_len)
    293. 

  293.             || !PACKET_get_1(pkt, &src_conn_id_len)
    294. 

  294.             || src_conn_id_len > QUIC_MAX_CONN_ID_LEN
    295. 

  295.             || !PACKET_copy_bytes(pkt, hdr->src_conn_id.id, src_conn_id_len))
    296. 

  296.             return 0;
    297. 

  297. 

  298.         hdr->version            = (uint32_t)version;
    299. 

  299.         hdr->dst_conn_id.id_len = (unsigned char)dst_conn_id_len;
    300. 

  300.         hdr->src_conn_id.id_len = (unsigned char)src_conn_id_len;
    301. 

  301. 

  302.         if (version == 0) {
    303. 

  303.             /*
    304. 

  304.              * Version negotiation packet. Version negotiation packets are
    305. 

  305.              * identified by a version field of 0 and the type bits in the first
    306. 

  306.              * byte are ignored (they may take any value, and we ignore them).
    307. 

  307.              */
    308. 

  308.             hdr->type       = QUIC_PKT_TYPE_VERSION_NEG;
    309. 

  309.             hdr->fixed      = (b0 & 0x40) != 0;
    310. 

  310. 

  311.             hdr->data       = PACKET_data(pkt);
    312. 

  312.             hdr->len        = PACKET_remaining(pkt);
    313. 

  313. 

  314.             /*
    315. 

  315.              * Version negotiation packets must contain an array of u32s, so it
    316. 

  316.              * is invalid for their payload length to not be divisible by 4.
    317. 

  317.              */
    318. 

  318.             if ((hdr->len % 4) != 0)
    319. 

  319.                 return 0;
    320. 

  320. 

  321.             /* Version negotiation packets are always fully decoded. */
    322. 

  322.             hdr->partial    = 0;
    323. 

  323. 

  324.             /* Fields not used in version negotiation packets. */
    325. 

  325.             hdr->pn_len             = 0;
    326. 

  326.             hdr->spin_bit           = 0;
    327. 

  327.             hdr->key_phase          = 0;
    328. 

  328.             hdr->token              = NULL;
    329. 

  329.             hdr->token_len          = 0;
    330. 

  330.             memset(hdr->pn, 0, sizeof(hdr->pn));
    331. 

  331. 

  332.             if (!PACKET_forward(pkt, hdr->len))
    333. 

  333.                 return 0;
    334. 

  334.         } else if (version != QUIC_VERSION_1) {
    335. 

  335.             /* Unknown version, do not decode. */
    336. 

  336.             return 0;
    337. 

  337.         } else {
    338. 

  338.             if (l < QUIC_MIN_VALID_PKT_LEN_CRYPTO)
    339. 

  339.                 return 0;
    340. 

  340. 

  341.             /* Get long packet type and decode to QUIC_PKT_TYPE_*. */
    342. 

  342.             raw_type = ((b0 >> 4) & 0x3);
    343. 

  343. 

  344.             switch (raw_type) {
    345. 

  345.             case 0:
    346. 

  346.                 hdr->type = QUIC_PKT_TYPE_INITIAL;
    347. 

  347.                 break;
    348. 

  348.             case 1:
    349. 

  349.                 hdr->type = QUIC_PKT_TYPE_0RTT;
    350. 

  350.                 break;
    351. 

  351.             case 2:
    352. 

  352.                 hdr->type = QUIC_PKT_TYPE_HANDSHAKE;
    353. 

  353.                 break;
    354. 

  354.             case 3:
    355. 

  355.                 hdr->type = QUIC_PKT_TYPE_RETRY;
    356. 

  356.                 break;
    357. 

  357.             }
    358. 

  358. 

  359.             hdr->pn_len     = 0;
    360. 

  360.             hdr->fixed      = 1;
    361. 

  361. 

  362.             /* Fields not used in long-header packets. */
    363. 

  363.             hdr->spin_bit   = 0;
    364. 

  364.             hdr->key_phase  = 0;
    365. 

  365. 

  366.             if (hdr->type == QUIC_PKT_TYPE_INITIAL) {
    367. 

  367.                 /* Initial packet. */
    368. 

  368.                 uint64_t token_len;
    369. 

  369. 

  370.                 if (!PACKET_get_quic_vlint(pkt, &token_len)
    371. 

  371.                     || token_len > SIZE_MAX
    372. 

  372.                     || !PACKET_get_bytes(pkt, &hdr->token, (size_t)token_len))
    373. 

  373.                     return 0;
    374. 

  374. 

  375.                 hdr->token_len  = (size_t)token_len;
    376. 

  376.                 if (token_len == 0)
    377. 

  377.                     hdr->token = NULL;
    378. 

  378.             } else {
    379. 

  379.                 hdr->token      = NULL;
    380. 

  380.                 hdr->token_len  = 0;
    381. 

  381.             }
    382. 

  382. 

  383.             if (hdr->type == QUIC_PKT_TYPE_RETRY) {
    384. 

  384.                 /* Retry packet. */
    385. 

  385.                 hdr->data       = PACKET_data(pkt);
    386. 

  386.                 hdr->len        = PACKET_remaining(pkt);
    387. 

  387. 

  388.                 /* Retry packets are always fully decoded. */
    389. 

  389.                 hdr->partial    = 0;
    390. 

  390. 

  391.                 /* Unused bits in Retry header. */
    392. 

  392.                 hdr->unused     = b0 & 0x0f;
    393. 

  393. 

  394.                 /* Fields not used in Retry packets. */
    395. 

  395.                 memset(hdr->pn, 0, sizeof(hdr->pn));
    396. 

  396. 

  397.                 if (!PACKET_forward(pkt, hdr->len))
    398. 

  398.                     return 0;
    399. 

  399.             } else {
    400. 

  400.                 /* Initial, 0-RTT or Handshake packet. */
    401. 

  401.                 uint64_t len;
    402. 

  402. 

  403.                 hdr->pn_len     = partial ? 0 : ((b0 & 0x03) + 1);
    404. 

  404.                 hdr->reserved   = partial ? 0 : ((b0 & 0x0C) >> 2);
    405. 

  405. 

  406.                 if (!PACKET_get_quic_vlint(pkt, &len)
    407. 

  407.                         || len < sizeof(hdr->pn))
    408. 

  408.                     return 0;
    409. 

  409. 

  410.                 if (!nodata && len > PACKET_remaining(pkt))
    411. 

  411.                     return 0;
    412. 

  412. 

  413.                 /*
    414. 

  414.                  * Skip over the PN. If this is a partial decode, the PN length
    415. 

  415.                  * field currently has header protection applied. Thus we do not
    416. 

  416.                  * know the length of the PN but we are allowed to assume it is
    417. 

  417.                  * 4 bytes long at this stage.
    418. 

  418.                  */
    419. 

  419.                 pn = (unsigned char *)PACKET_data(pkt);
    420. 

  420.                 memset(hdr->pn, 0, sizeof(hdr->pn));
    421. 

  421.                 if (partial) {
    422. 

  422.                     if (!PACKET_forward(pkt, sizeof(hdr->pn)))
    423. 

  423.                         return 0;
    424. 

  424. 

  425.                     hdr->len = (size_t)(len - sizeof(hdr->pn));
    426. 

  426.                 } else {
    427. 

  427.                     if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len))
    428. 

  428.                         return 0;
    429. 

  429. 

  430.                     hdr->len = (size_t)(len - hdr->pn_len);
    431. 

  431.                 }
    432. 

  432. 

  433.                 if (nodata) {
    434. 

  434.                     hdr->data = NULL;
    435. 

  435.                 } else {
    436. 

  436.                     hdr->data = PACKET_data(pkt);
    437. 

  437. 

  438.                     /* Skip over packet body. */
    439. 

  439.                     if (!PACKET_forward(pkt, hdr->len))
    440. 

  440.                         return 0;
    441. 

  441.                 }
    442. 

  442.             }
    443. 

  443.         }
    444. 

  444.     }
    445. 

  445. 

  446.     if (ptrs != NULL) {
    447. 

  447.         ptrs->raw_pn = pn;
    448. 

  448.         if (pn != NULL) {
    449. 

  449.             ptrs->raw_sample        = pn + 4;
    450. 

  450.             ptrs->raw_sample_len    = PACKET_end(pkt) - ptrs->raw_sample;
    451. 

  451.         }
    452. 

  452.     }
    453. 

  453. 

  454.     return 1;
    455. 

  455. }
    456. 

  456. 

  457. int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt,
    458. 

  458.                                   size_t short_conn_id_len,
    459. 

  459.                                   const QUIC_PKT_HDR *hdr,
    460. 

  460.                                   QUIC_PKT_HDR_PTRS *ptrs)
    461. 

  461. {
    462. 

  462.     unsigned char b0;
    463. 

  463.     size_t off_start, off_sample, off_pn;
    464. 

  464.     unsigned char *start = WPACKET_get_curr(pkt);
    465. 

  465. 

  466.     if (!WPACKET_get_total_written(pkt, &off_start))
    467. 

  467.         return 0;
    468. 

  468. 

  469.     if (ptrs != NULL) {
    470. 

  470.         /* ptrs would not be stable on non-static WPACKET */
    471. 

  471.         if (!ossl_assert(pkt->staticbuf != NULL))
    472. 

  472.             return 0;
    473. 

  473.         ptrs->raw_start         = NULL;
    474. 

  474.         ptrs->raw_sample        = NULL;
    475. 

  475.         ptrs->raw_sample_len    = 0;
    476. 

  476.         ptrs->raw_pn            = 0;
    477. 

  477.     }
    478. 

  478. 

  479.     /* Cannot serialize a partial header, or one whose DCID length is wrong. */
    480. 

  480.     if (hdr->partial
    481. 

  481.         || (hdr->type == QUIC_PKT_TYPE_1RTT
    482. 

  482.             && hdr->dst_conn_id.id_len != short_conn_id_len))
    483. 

  483.         return 0;
    484. 

  484. 

  485.     if (hdr->type == QUIC_PKT_TYPE_1RTT) {
    486. 

  486.         /* Short header. */
    487. 

  487. 

  488.         /*
    489. 

  489.          * Cannot serialize a header whose DCID length is wrong, or with an
    490. 

  490.          * invalid PN length.
    491. 

  491.          */
    492. 

  492.         if (hdr->dst_conn_id.id_len != short_conn_id_len
    493. 

  493.             || short_conn_id_len > QUIC_MAX_CONN_ID_LEN
    494. 

  494.             || hdr->pn_len < 1 || hdr->pn_len > 4)
    495. 

  495.             return 0;
    496. 

  496. 

  497.         b0 = (hdr->spin_bit << 5)
    498. 

  498.              | (hdr->key_phase << 2)
    499. 

  499.              | (hdr->pn_len - 1)
    500. 

  500.              | (hdr->reserved << 3)
    501. 

  501.              | 0x40; /* fixed bit */
    502. 

  502. 

  503.         if (!WPACKET_put_bytes_u8(pkt, b0)
    504. 

  504.             || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, short_conn_id_len)
    505. 

  505.             || !WPACKET_get_total_written(pkt, &off_pn)
    506. 

  506.             || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len))
    507. 

  507.             return 0;
    508. 

  508.     } else {
    509. 

  509.         /* Long header. */
    510. 

  510.         unsigned int raw_type;
    511. 

  511. 

  512.         if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN
    513. 

  513.             || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN)
    514. 

  514.             return 0;
    515. 

  515. 

  516.         if (ossl_quic_pkt_type_has_pn(hdr->type)
    517. 

  517.             && (hdr->pn_len < 1 || hdr->pn_len > 4))
    518. 

  518.             return 0;
    519. 

  519. 

  520.         switch (hdr->type) {
    521. 

  521.             case QUIC_PKT_TYPE_VERSION_NEG:
    522. 

  522.                 if (hdr->version != 0)
    523. 

  523.                     return 0;
    524. 

  524. 

  525.                 /* Version negotiation packets use zero for the type bits */
    526. 

  526.                 raw_type = 0;
    527. 

  527.                 break;
    528. 

  528. 

  529.             case QUIC_PKT_TYPE_INITIAL:     raw_type = 0; break;
    530. 

  530.             case QUIC_PKT_TYPE_0RTT:        raw_type = 1; break;
    531. 

  531.             case QUIC_PKT_TYPE_HANDSHAKE:   raw_type = 2; break;
    532. 

  532.             case QUIC_PKT_TYPE_RETRY:       raw_type = 3; break;
    533. 

  533.             default:
    534. 

  534.                 return 0;
    535. 

  535.         }
    536. 

  536. 

  537.         b0 = (raw_type << 4) | 0x80; /* long */
    538. 

  538.         if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG || hdr->fixed)
    539. 

  539.             b0 |= 0x40; /* fixed */
    540. 

  540.         if (ossl_quic_pkt_type_has_pn(hdr->type)) {
    541. 

  541.             b0 |= hdr->pn_len - 1;
    542. 

  542.             b0 |= (hdr->reserved << 2);
    543. 

  543.         }
    544. 

  544.         if (hdr->type == QUIC_PKT_TYPE_RETRY)
    545. 

  545.             b0 |= hdr->unused;
    546. 

  546. 

  547.         if (!WPACKET_put_bytes_u8(pkt, b0)
    548. 

  548.             || !WPACKET_put_bytes_u32(pkt, hdr->version)
    549. 

  549.             || !WPACKET_put_bytes_u8(pkt, hdr->dst_conn_id.id_len)
    550. 

  550.             || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id,
    551. 

  551.                                hdr->dst_conn_id.id_len)
    552. 

  552.             || !WPACKET_put_bytes_u8(pkt, hdr->src_conn_id.id_len)
    553. 

  553.             || !WPACKET_memcpy(pkt, hdr->src_conn_id.id,
    554. 

  554.                                hdr->src_conn_id.id_len))
    555. 

  555.             return 0;
    556. 

  556. 

  557.         if (hdr->type == QUIC_PKT_TYPE_VERSION_NEG
    558. 

  558.             || hdr->type == QUIC_PKT_TYPE_RETRY) {
    559. 

  559.             if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL))
    560. 

  560.                 return 0;
    561. 

  561. 

  562.             return 1;
    563. 

  563.         }
    564. 

  564. 

  565.         if (hdr->type == QUIC_PKT_TYPE_INITIAL) {
    566. 

  566.             if (!WPACKET_quic_write_vlint(pkt, hdr->token_len)
    567. 

  567.                 || !WPACKET_memcpy(pkt, hdr->token, hdr->token_len))
    568. 

  568.                 return 0;
    569. 

  569.         }
    570. 

  570. 

  571.         if (!WPACKET_quic_write_vlint(pkt, hdr->len + hdr->pn_len)
    572. 

  572.             || !WPACKET_get_total_written(pkt, &off_pn)
    573. 

  573.             || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len))
    574. 

  574.             return 0;
    575. 

  575.     }
    576. 

  576. 

  577.     if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL))
    578. 

  578.         return 0;
    579. 

  579. 

  580.     off_sample = off_pn + 4;
    581. 

  581. 

  582.     if (ptrs != NULL) {
    583. 

  583.         ptrs->raw_start         = start;
    584. 

  584.         ptrs->raw_sample        = start + (off_sample - off_start);
    585. 

  585.         ptrs->raw_sample_len
    586. 

  586.             = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample;
    587. 

  587.         ptrs->raw_pn            = start + (off_pn - off_start);
    588. 

  588.     }
    589. 

  589. 

  590.     return 1;
    591. 

  591. }
    592. 

  592. 

  593. int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len,
    594. 

  594.                                            const QUIC_PKT_HDR *hdr)
    595. 

  595. {
    596. 

  596.     size_t len = 0, enclen;
    597. 

  597. 

  598.     /* Cannot serialize a partial header, or one whose DCID length is wrong. */
    599. 

  599.     if (hdr->partial
    600. 

  600.         || (hdr->type == QUIC_PKT_TYPE_1RTT
    601. 

  601.             && hdr->dst_conn_id.id_len != short_conn_id_len))
    602. 

  602.         return 0;
    603. 

  603. 

  604.     if (hdr->type == QUIC_PKT_TYPE_1RTT) {
    605. 

  605.         /* Short header. */
    606. 

  606. 

  607.         /*
    608. 

  608.          * Cannot serialize a header whose DCID length is wrong, or with an
    609. 

  609.          * invalid PN length.
    610. 

  610.          */
    611. 

  611.         if (hdr->dst_conn_id.id_len != short_conn_id_len
    612. 

  612.             || short_conn_id_len > QUIC_MAX_CONN_ID_LEN
    613. 

  613.             || hdr->pn_len < 1 || hdr->pn_len > 4)
    614. 

  614.             return 0;
    615. 

  615. 

  616.         return 1 + short_conn_id_len + hdr->pn_len;
    617. 

  617.     } else {
    618. 

  618.         /* Long header. */
    619. 

  619.         if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN
    620. 

  620.             || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN)
    621. 

  621.             return 0;
    622. 

  622. 

  623.         len += 1 /* Initial byte */ + 4 /* Version */
    624. 

  624.             + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */
    625. 

  625.             + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */
    626. 

  626.             ;
    627. 

  627. 

  628.         if (ossl_quic_pkt_type_has_pn(hdr->type)) {
    629. 

  629.             if (hdr->pn_len < 1 || hdr->pn_len > 4)
    630. 

  630.                 return 0;
    631. 

  631. 

  632.             len += hdr->pn_len;
    633. 

  633.         }
    634. 

  634. 

  635.         if (hdr->type == QUIC_PKT_TYPE_INITIAL) {
    636. 

  636.             enclen = ossl_quic_vlint_encode_len(hdr->token_len);
    637. 

  637.             if (!enclen)
    638. 

  638.                 return 0;
    639. 

  639. 

  640.             len += enclen + hdr->token_len;
    641. 

  641.         }
    642. 

  642. 

  643.         if (!ossl_quic_pkt_type_must_be_last(hdr->type)) {
    644. 

  644.             enclen = ossl_quic_vlint_encode_len(hdr->len + hdr->pn_len);
    645. 

  645.             if (!enclen)
    646. 

  646.                 return 0;
    647. 

  647. 

  648.             len += enclen;
    649. 

  649.         }
    650. 

  650. 

  651.         return len;
    652. 

  652.     }
    653. 

  653. }
    654. 

  654. 

  655. int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf,
    656. 

  656.                                            size_t buf_len,
    657. 

  657.                                            size_t short_conn_id_len,
    658. 

  658.                                            QUIC_CONN_ID *dst_conn_id)
    659. 

  659. {
    660. 

  660.     unsigned char b0;
    661. 

  661.     size_t blen;
    662. 

  662. 

  663.     if (buf_len < QUIC_MIN_VALID_PKT_LEN
    664. 

  664.         || short_conn_id_len > QUIC_MAX_CONN_ID_LEN)
    665. 

  665.         return 0;
    666. 

  666. 

  667.     b0 = buf[0];
    668. 

  668.     if ((b0 & 0x80) != 0) {
    669. 

  669.         /*
    670. 

  670.          * Long header. We need 6 bytes (initial byte, 4 version bytes, DCID
    671. 

  671.          * length byte to begin with). This is covered by the buf_len test
    672. 

  672.          * above.
    673. 

  673.          */
    674. 

  674. 

  675.         /*
    676. 

  676.          * If the version field is non-zero (meaning that this is not a Version
    677. 

  677.          * Negotiation packet), the fixed bit must be set.
    678. 

  678.          */
    679. 

  679.         if ((buf[1] || buf[2] || buf[3] || buf[4]) && (b0 & 0x40) == 0)
    680. 

  680.             return 0;
    681. 

  681. 

  682.         blen = (size_t)buf[5]; /* DCID Length */
    683. 

  683.         if (blen > QUIC_MAX_CONN_ID_LEN
    684. 

  684.             || buf_len < QUIC_MIN_VALID_PKT_LEN + blen)
    685. 

  685.             return 0;
    686. 

  686. 

  687.         dst_conn_id->id_len = (unsigned char)blen;
    688. 

  688.         memcpy(dst_conn_id->id, buf + 6, blen);
    689. 

  689.         return 1;
    690. 

  690.     } else {
    691. 

  691.         /* Short header. */
    692. 

  692.         if ((b0 & 0x40) == 0)
    693. 

  693.             /* Fixed bit not set, not a valid QUIC packet header. */
    694. 

  694.             return 0;
    695. 

  695. 

  696.         if (buf_len < QUIC_MIN_VALID_PKT_LEN_CRYPTO + short_conn_id_len)
    697. 

  697.             return 0;
    698. 

  698. 

  699.         dst_conn_id->id_len = (unsigned char)short_conn_id_len;
    700. 

  700.         memcpy(dst_conn_id->id, buf + 1, short_conn_id_len);
    701. 

  701.         return 1;
    702. 

  702.     }
    703. 

  703. }
    704. 

  704. 

  705. int ossl_quic_wire_decode_pkt_hdr_pn(const unsigned char *enc_pn,
    706. 

  706.                                      size_t enc_pn_len,
    707. 

  707.                                      QUIC_PN largest_pn,
    708. 

  708.                                      QUIC_PN *res_pn)
    709. 

  709. {
    710. 

  710.     int64_t expected_pn, truncated_pn, candidate_pn, pn_win, pn_hwin, pn_mask;
    711. 

  711. 

  712.     switch (enc_pn_len) {
    713. 

  713.         case 1:
    714. 

  714.             truncated_pn = enc_pn[0];
    715. 

  715.             break;
    716. 

  716.         case 2:
    717. 

  717.             truncated_pn = ((QUIC_PN)enc_pn[0] << 8)
    718. 

  718.                          |  (QUIC_PN)enc_pn[1];
    719. 

  719.             break;
    720. 

  720.         case 3:
    721. 

  721.             truncated_pn = ((QUIC_PN)enc_pn[0] << 16)
    722. 

  722.                          | ((QUIC_PN)enc_pn[1] << 8)
    723. 

  723.                          |  (QUIC_PN)enc_pn[2];
    724. 

  724.             break;
    725. 

  725.         case 4:
    726. 

  726.             truncated_pn = ((QUIC_PN)enc_pn[0] << 24)
    727. 

  727.                          | ((QUIC_PN)enc_pn[1] << 16)
    728. 

  728.                          | ((QUIC_PN)enc_pn[2] << 8)
    729. 

  729.                          |  (QUIC_PN)enc_pn[3];
    730. 

  730.             break;
    731. 

  731.         default:
    732. 

  732.             return 0;
    733. 

  733.     }
    734. 

  734. 

  735.     /* Implemented as per RFC 9000 Section A.3. */
    736. 

  736.     expected_pn     = largest_pn + 1;
    737. 

  737.     pn_win          = ((int64_t)1) << (enc_pn_len * 8);
    738. 

  738.     pn_hwin         = pn_win / 2;
    739. 

  739.     pn_mask         = pn_win - 1;
    740. 

  740.     candidate_pn    = (expected_pn & ~pn_mask) | truncated_pn;
    741. 

  741.     if (candidate_pn <= expected_pn - pn_hwin
    742. 

  742.         && candidate_pn < (((int64_t)1) << 62) - pn_win)
    743. 

  743.         *res_pn = candidate_pn + pn_win;
    744. 

  744.     else if (candidate_pn > expected_pn + pn_hwin
    745. 

  745.              && candidate_pn >= pn_win)
    746. 

  746.         *res_pn = candidate_pn - pn_win;
    747. 

  747.     else
    748. 

  748.         *res_pn = candidate_pn;
    749. 

  749.     return 1;
    750. 

  750. }
    751. 

  751. 

  752. /* From RFC 9000 Section A.2. Simplified implementation. */
    753. 

  753. int ossl_quic_wire_determine_pn_len(QUIC_PN pn,
    754. 

  754.                                     QUIC_PN largest_acked)
    755. 

  755. {
    756. 

  756.     uint64_t num_unacked
    757. 

  757.         = (largest_acked == QUIC_PN_INVALID) ? pn + 1 : pn - largest_acked;
    758. 

  758. 

  759.     /*
    760. 

  760.      * num_unacked \in [    0, 2** 7] -> 1 byte
    761. 

  761.      * num_unacked \in (2** 7, 2**15] -> 2 bytes
    762. 

  762.      * num_unacked \in (2**15, 2**23] -> 3 bytes
    763. 

  763.      * num_unacked \in (2**23,      ] -> 4 bytes
    764. 

  764.      */
    765. 

  765. 

  766.     if (num_unacked <= (1U<<7))  return 1;
    767. 

  767.     if (num_unacked <= (1U<<15)) return 2;
    768. 

  768.     if (num_unacked <= (1U<<23)) return 3;
    769. 

  769.     return 4;
    770. 

  770. }
    771. 

  771. 

  772. int ossl_quic_wire_encode_pkt_hdr_pn(QUIC_PN pn,
    773. 

  773.                                      unsigned char *enc_pn,
    774. 

  774.                                      size_t enc_pn_len)
    775. 

  775. {
    776. 

  776.     switch (enc_pn_len) {
    777. 

  777.         case 1:
    778. 

  778.             enc_pn[0] = (unsigned char)pn;
    779. 

  779.             break;
    780. 

  780.         case 2:
    781. 

  781.             enc_pn[1] = (unsigned char)pn;
    782. 

  782.             enc_pn[0] = (unsigned char)(pn >> 8);
    783. 

  783.             break;
    784. 

  784.         case 3:
    785. 

  785.             enc_pn[2] = (unsigned char)pn;
    786. 

  786.             enc_pn[1] = (unsigned char)(pn >> 8);
    787. 

  787.             enc_pn[0] = (unsigned char)(pn >> 16);
    788. 

  788.             break;
    789. 

  789.         case 4:
    790. 

  790.             enc_pn[3] = (unsigned char)pn;
    791. 

  791.             enc_pn[2] = (unsigned char)(pn >> 8);
    792. 

  792.             enc_pn[1] = (unsigned char)(pn >> 16);
    793. 

  793.             enc_pn[0] = (unsigned char)(pn >> 24);
    794. 

  794.             break;
    795. 

  795.         default:
    796. 

  796.             return 0;
    797. 

  797.     }
    798. 

  798. 

  799.     return 1;
    800. 

  800. }
    801. 

  801. 

  802. int ossl_quic_validate_retry_integrity_tag(OSSL_LIB_CTX *libctx,
    803. 

  803.                                            const char *propq,
    804. 

  804.                                            const QUIC_PKT_HDR *hdr,
    805. 

  805.                                            const QUIC_CONN_ID *client_initial_dcid)
    806. 

  806. {
    807. 

  807.     unsigned char expected_tag[QUIC_RETRY_INTEGRITY_TAG_LEN];
    808. 

  808.     const unsigned char *actual_tag;
    809. 

  809. 

  810.     if (hdr == NULL || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN)
    811. 

  811.         return 0;
    812. 

  812. 

  813.     if (!ossl_quic_calculate_retry_integrity_tag(libctx, propq,
    814. 

  814.                                                  hdr, client_initial_dcid,
    815. 

  815.                                                  expected_tag))
    816. 

  816.         return 0;
    817. 

  817. 

  818.     actual_tag = hdr->data + hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN;
    819. 

  819. 

  820.     return !CRYPTO_memcmp(expected_tag, actual_tag,
    821. 

  821.                           QUIC_RETRY_INTEGRITY_TAG_LEN);
    822. 

  822. }
    823. 

  823. 

  824. /* RFC 9001 s. 5.8 */
    825. 

  825. static const unsigned char retry_integrity_key[] = {
    826. 

  826.     0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a,
    827. 

  827.     0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e
    828. 

  828. };
    829. 

  829. 

  830. static const unsigned char retry_integrity_nonce[] = {
    831. 

  831.     0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2,
    832. 

  832.     0x23, 0x98, 0x25, 0xbb
    833. 

  833. };
    834. 

  834. 

  835. int ossl_quic_calculate_retry_integrity_tag(OSSL_LIB_CTX *libctx,
    836. 

  836.                                             const char *propq,
    837. 

  837.                                             const QUIC_PKT_HDR *hdr,
    838. 

  838.                                             const QUIC_CONN_ID *client_initial_dcid,
    839. 

  839.                                             unsigned char *tag)
    840. 

  840. {
    841. 

  841.     EVP_CIPHER *cipher = NULL;
    842. 

  842.     EVP_CIPHER_CTX *cctx = NULL;
    843. 

  843.     int ok = 0, l = 0, l2 = 0, wpkt_valid = 0;
    844. 

  844.     WPACKET wpkt;
    845. 

  845.     /* Worst case length of the Retry Psuedo-Packet header is 68 bytes. */
    846. 

  846.     unsigned char buf[128];
    847. 

  847.     QUIC_PKT_HDR hdr2;
    848. 

  848.     size_t hdr_enc_len = 0;
    849. 

  849. 

  850.     if (hdr->type != QUIC_PKT_TYPE_RETRY || hdr->version == 0
    851. 

  851.         || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN
    852. 

  852.         || hdr->data == NULL
    853. 

  853.         || client_initial_dcid == NULL || tag == NULL
    854. 

  854.         || client_initial_dcid->id_len > QUIC_MAX_CONN_ID_LEN) {
    855. 

  855.         ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
    856. 

  856.         goto err;
    857. 

  857.     }
    858. 

  858. 

  859.     /*
    860. 

  860.      * Do not reserve packet body in WPACKET. Retry packet header
    861. 

  861.      * does not contain a Length field so this does not affect
    862. 

  862.      * the serialized packet header.
    863. 

  863.      */
    864. 

  864.     hdr2 = *hdr;
    865. 

  865.     hdr2.len = 0;
    866. 

  866. 

  867.     /* Assemble retry psuedo-packet. */
    868. 

  868.     if (!WPACKET_init_static_len(&wpkt, buf, sizeof(buf), 0)) {
    869. 

  869.         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
    870. 

  870.         goto err;
    871. 

  871.     }
    872. 

  872. 

  873.     wpkt_valid = 1;
    874. 

  874. 

  875.     /* Prepend original DCID to the packet. */
    876. 

  876.     if (!WPACKET_put_bytes_u8(&wpkt, client_initial_dcid->id_len)
    877. 

  877.         || !WPACKET_memcpy(&wpkt, client_initial_dcid->id,
    878. 

  878.                            client_initial_dcid->id_len)) {
    879. 

  879.         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
    880. 

  880.         goto err;
    881. 

  881.     }
    882. 

  882. 

  883.     /* Encode main retry header. */
    884. 

  884.     if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, hdr2.dst_conn_id.id_len,
    885. 

  885.                                        &hdr2, NULL))
    886. 

  886.         goto err;
    887. 

  887. 

  888.     if (!WPACKET_get_total_written(&wpkt, &hdr_enc_len)) {
    889. 

  889.         ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
    890. 

  890.         return 0;
    891. 

  891.     }
    892. 

  892. 

  893.     /* Create and initialise cipher context. */
    894. 

  894.     /* TODO(QUIC FUTURE): Cipher fetch caching. */
    895. 

  895.     if ((cipher = EVP_CIPHER_fetch(libctx, "AES-128-GCM", propq)) == NULL) {
    896. 

  896.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    897. 

  897.         goto err;
    898. 

  898.     }
    899. 

  899. 

  900.     if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
    901. 

  901.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    902. 

  902.         goto err;
    903. 

  903.     }
    904. 

  904. 

  905.     if (!EVP_CipherInit_ex(cctx, cipher, NULL,
    906. 

  906.                            retry_integrity_key, retry_integrity_nonce, /*enc=*/1)) {
    907. 

  907.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    908. 

  908.         goto err;
    909. 

  909.     }
    910. 

  910. 

  911.     /* Feed packet header as AAD data. */
    912. 

  912.     if (EVP_CipherUpdate(cctx, NULL, &l, buf, hdr_enc_len) != 1) {
    913. 

  913.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    914. 

  914.         return 0;
    915. 

  915.     }
    916. 

  916. 

  917.     /* Feed packet body as AAD data. */
    918. 

  918.     if (EVP_CipherUpdate(cctx, NULL, &l, hdr->data,
    919. 

  919.                          hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN) != 1) {
    920. 

  920.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    921. 

  921.         return 0;
    922. 

  922.     }
    923. 

  923. 

  924.     /* Finalise and get tag. */
    925. 

  925.     if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) {
    926. 

  926.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    927. 

  927.         return 0;
    928. 

  928.     }
    929. 

  929. 

  930.     if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG,
    931. 

  931.                             QUIC_RETRY_INTEGRITY_TAG_LEN,
    932. 

  932.                             tag) != 1) {
    933. 

  933.         ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
    934. 

  934.         return 0;
    935. 

  935.     }
    936. 

  936. 

  937.     ok = 1;
    938. 

  938. err:
    939. 

  939.     EVP_CIPHER_free(cipher);
    940. 

  940.     EVP_CIPHER_CTX_free(cctx);
    941. 

  941.     if (wpkt_valid)
    942. 

  942.         WPACKET_finish(&wpkt);
    943. 

  943. 

  944.     return ok;
    945. 

  945. }
    946.