2
0

quic_wire_pkt.h 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629
  1. /*
  2. * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #ifndef OSSL_QUIC_WIRE_PKT_H
  10. # define OSSL_QUIC_WIRE_PKT_H
  11. # include <openssl/ssl.h>
  12. # include "internal/packet_quic.h"
  13. # include "internal/quic_types.h"
  14. # ifndef OPENSSL_NO_QUIC
  15. # define QUIC_VERSION_NONE ((uint32_t)0) /* Used for version negotiation */
  16. # define QUIC_VERSION_1 ((uint32_t)1) /* QUIC v1 */
  17. /* QUIC logical packet type. These do not match wire values. */
  18. # define QUIC_PKT_TYPE_INITIAL 1
  19. # define QUIC_PKT_TYPE_0RTT 2
  20. # define QUIC_PKT_TYPE_HANDSHAKE 3
  21. # define QUIC_PKT_TYPE_RETRY 4
  22. # define QUIC_PKT_TYPE_1RTT 5
  23. # define QUIC_PKT_TYPE_VERSION_NEG 6
  24. /*
  25. * Determine encryption level from packet type. Returns QUIC_ENC_LEVEL_NUM if
  26. * the packet is not of a type which is encrypted.
  27. */
  28. static ossl_inline ossl_unused uint32_t
  29. ossl_quic_pkt_type_to_enc_level(uint32_t pkt_type)
  30. {
  31. switch (pkt_type) {
  32. case QUIC_PKT_TYPE_INITIAL:
  33. return QUIC_ENC_LEVEL_INITIAL;
  34. case QUIC_PKT_TYPE_HANDSHAKE:
  35. return QUIC_ENC_LEVEL_HANDSHAKE;
  36. case QUIC_PKT_TYPE_0RTT:
  37. return QUIC_ENC_LEVEL_0RTT;
  38. case QUIC_PKT_TYPE_1RTT:
  39. return QUIC_ENC_LEVEL_1RTT;
  40. default:
  41. return QUIC_ENC_LEVEL_NUM;
  42. }
  43. }
  44. static ossl_inline ossl_unused uint32_t
  45. ossl_quic_enc_level_to_pkt_type(uint32_t enc_level)
  46. {
  47. switch (enc_level) {
  48. case QUIC_ENC_LEVEL_INITIAL:
  49. return QUIC_PKT_TYPE_INITIAL;
  50. case QUIC_ENC_LEVEL_HANDSHAKE:
  51. return QUIC_PKT_TYPE_HANDSHAKE;
  52. case QUIC_ENC_LEVEL_0RTT:
  53. return QUIC_PKT_TYPE_0RTT;
  54. case QUIC_ENC_LEVEL_1RTT:
  55. return QUIC_PKT_TYPE_1RTT;
  56. default:
  57. return UINT32_MAX;
  58. }
  59. }
  60. /* Determine if a packet type contains an encrypted payload. */
  61. static ossl_inline ossl_unused int
  62. ossl_quic_pkt_type_is_encrypted(uint32_t pkt_type)
  63. {
  64. switch (pkt_type) {
  65. case QUIC_PKT_TYPE_RETRY:
  66. case QUIC_PKT_TYPE_VERSION_NEG:
  67. return 0;
  68. default:
  69. return 1;
  70. }
  71. }
  72. /* Determine if a packet type contains a PN field. */
  73. static ossl_inline ossl_unused int
  74. ossl_quic_pkt_type_has_pn(uint32_t pkt_type)
  75. {
  76. /*
  77. * Currently a packet has a PN iff it is encrypted. This could change
  78. * someday.
  79. */
  80. return ossl_quic_pkt_type_is_encrypted(pkt_type);
  81. }
  82. /*
  83. * Determine if a packet type can appear with other packets in a datagram. Some
  84. * packet types must be the sole packet in a datagram.
  85. */
  86. static ossl_inline ossl_unused int
  87. ossl_quic_pkt_type_can_share_dgram(uint32_t pkt_type)
  88. {
  89. /*
  90. * Currently only the encrypted packet types can share a datagram. This
  91. * could change someday.
  92. */
  93. return ossl_quic_pkt_type_is_encrypted(pkt_type);
  94. }
  95. /*
  96. * Determine if the packet type must come at the end of the datagram (due to the
  97. * lack of a length field).
  98. */
  99. static ossl_inline ossl_unused int
  100. ossl_quic_pkt_type_must_be_last(uint32_t pkt_type)
  101. {
  102. /*
  103. * Any packet type which cannot share a datagram obviously must come last.
  104. * 1-RTT also must come last as it lacks a length field.
  105. */
  106. return !ossl_quic_pkt_type_can_share_dgram(pkt_type)
  107. || pkt_type == QUIC_PKT_TYPE_1RTT;
  108. }
  109. /*
  110. * Determine if the packet type has a version field.
  111. */
  112. static ossl_inline ossl_unused int
  113. ossl_quic_pkt_type_has_version(uint32_t pkt_type)
  114. {
  115. return pkt_type != QUIC_PKT_TYPE_1RTT && pkt_type != QUIC_PKT_TYPE_VERSION_NEG;
  116. }
  117. /*
  118. * Determine if the packet type has a SCID field.
  119. */
  120. static ossl_inline ossl_unused int
  121. ossl_quic_pkt_type_has_scid(uint32_t pkt_type)
  122. {
  123. return pkt_type != QUIC_PKT_TYPE_1RTT;
  124. }
  125. /*
  126. * Smallest possible QUIC packet size as per RFC (aside from version negotiation
  127. * packets).
  128. */
  129. # define QUIC_MIN_VALID_PKT_LEN_CRYPTO 21
  130. # define QUIC_MIN_VALID_PKT_LEN_VERSION_NEG 7
  131. # define QUIC_MIN_VALID_PKT_LEN QUIC_MIN_VALID_PKT_LEN_VERSION_NEG
  132. typedef struct quic_pkt_hdr_ptrs_st QUIC_PKT_HDR_PTRS;
  133. /*
  134. * QUIC Packet Header Protection
  135. * =============================
  136. *
  137. * Functions to apply and remove QUIC packet header protection. A header
  138. * protector is initialised using ossl_quic_hdr_protector_init and must be
  139. * destroyed using ossl_quic_hdr_protector_cleanup when no longer needed.
  140. */
  141. typedef struct quic_hdr_protector_st {
  142. OSSL_LIB_CTX *libctx;
  143. const char *propq;
  144. EVP_CIPHER_CTX *cipher_ctx;
  145. EVP_CIPHER *cipher;
  146. uint32_t cipher_id;
  147. } QUIC_HDR_PROTECTOR;
  148. # define QUIC_HDR_PROT_CIPHER_AES_128 1
  149. # define QUIC_HDR_PROT_CIPHER_AES_256 2
  150. # define QUIC_HDR_PROT_CIPHER_CHACHA 3
  151. /*
  152. * Initialises a header protector.
  153. *
  154. * cipher_id:
  155. * The header protection cipher method to use. One of
  156. * QUIC_HDR_PROT_CIPHER_*. Must be chosen based on negotiated TLS cipher
  157. * suite.
  158. *
  159. * quic_hp_key:
  160. * This must be the "quic hp" key derived from a traffic secret.
  161. *
  162. * The length of the quic_hp_key must correspond to that expected for the
  163. * given cipher ID.
  164. *
  165. * The header protector performs amortisable initialisation in this function,
  166. * therefore a header protector should be used for as long as possible.
  167. *
  168. * Returns 1 on success and 0 on failure.
  169. */
  170. int ossl_quic_hdr_protector_init(QUIC_HDR_PROTECTOR *hpr,
  171. OSSL_LIB_CTX *libctx,
  172. const char *propq,
  173. uint32_t cipher_id,
  174. const unsigned char *quic_hp_key,
  175. size_t quic_hp_key_len);
  176. /*
  177. * Destroys a header protector. This is also safe to call on a zero-initialized
  178. * OSSL_QUIC_HDR_PROTECTOR structure which has not been initialized, or which
  179. * has already been destroyed.
  180. */
  181. void ossl_quic_hdr_protector_cleanup(QUIC_HDR_PROTECTOR *hpr);
  182. /*
  183. * Removes header protection from a packet. The packet payload must currently be
  184. * encrypted (i.e., you must remove header protection before decrypting packets
  185. * received). The function examines the header buffer to determine which bytes
  186. * of the header need to be decrypted.
  187. *
  188. * If this function fails, no data is modified.
  189. *
  190. * This is implemented as a call to ossl_quic_hdr_protector_decrypt_fields().
  191. *
  192. * Returns 1 on success and 0 on failure.
  193. */
  194. int ossl_quic_hdr_protector_decrypt(QUIC_HDR_PROTECTOR *hpr,
  195. QUIC_PKT_HDR_PTRS *ptrs);
  196. /*
  197. * Applies header protection to a packet. The packet payload must already have
  198. * been encrypted (i.e., you must apply header protection after encrypting
  199. * a packet). The function examines the header buffer to determine which bytes
  200. * of the header need to be encrypted.
  201. *
  202. * This is implemented as a call to ossl_quic_hdr_protector_encrypt_fields().
  203. *
  204. * Returns 1 on success and 0 on failure.
  205. */
  206. int ossl_quic_hdr_protector_encrypt(QUIC_HDR_PROTECTOR *hpr,
  207. QUIC_PKT_HDR_PTRS *ptrs);
  208. /*
  209. * Removes header protection from a packet. The packet payload must currently
  210. * be encrypted. This is a low-level function which assumes you have already
  211. * determined which parts of the packet header need to be decrypted.
  212. *
  213. * sample:
  214. * The range of bytes in the packet to be used to generate the header
  215. * protection mask. It is permissible to set sample_len to the size of the
  216. * remainder of the packet; this function will only use as many bytes as
  217. * needed. If not enough sample bytes are provided, this function fails.
  218. *
  219. * first_byte:
  220. * The first byte of the QUIC packet header to be decrypted.
  221. *
  222. * pn:
  223. * Pointer to the start of the PN field. The caller is responsible
  224. * for ensuring at least four bytes follow this pointer.
  225. *
  226. * Returns 1 on success and 0 on failure.
  227. */
  228. int ossl_quic_hdr_protector_decrypt_fields(QUIC_HDR_PROTECTOR *hpr,
  229. const unsigned char *sample,
  230. size_t sample_len,
  231. unsigned char *first_byte,
  232. unsigned char *pn_bytes);
  233. /*
  234. * Works analogously to ossl_hdr_protector_decrypt_fields, but applies header
  235. * protection instead of removing it.
  236. */
  237. int ossl_quic_hdr_protector_encrypt_fields(QUIC_HDR_PROTECTOR *hpr,
  238. const unsigned char *sample,
  239. size_t sample_len,
  240. unsigned char *first_byte,
  241. unsigned char *pn_bytes);
  242. /*
  243. * QUIC Packet Header
  244. * ==================
  245. *
  246. * This structure provides a logical representation of a QUIC packet header.
  247. *
  248. * QUIC packet formats fall into the following categories:
  249. *
  250. * Long Packets, which is subdivided into five possible packet types:
  251. * Version Negotiation (a special case);
  252. * Initial;
  253. * 0-RTT;
  254. * Handshake; and
  255. * Retry
  256. *
  257. * Short Packets, which comprises only a single packet type (1-RTT).
  258. *
  259. * The packet formats vary and common fields are found in some packets but
  260. * not others. The below table indicates which fields are present in which
  261. * kinds of packet. * indicates header protection is applied.
  262. *
  263. * SLLLLL Legend: 1=1-RTT, i=Initial, 0=0-RTT, h=Handshake
  264. * 1i0hrv r=Retry, v=Version Negotiation
  265. * ------
  266. * 1i0hrv Header Form (0=Short, 1=Long)
  267. * 1i0hr Fixed Bit (always 1)
  268. * 1 Spin Bit
  269. * 1 * Reserved Bits
  270. * 1 * Key Phase
  271. * 1i0h * Packet Number Length
  272. * i0hr? Long Packet Type
  273. * i0h Type-Specific Bits
  274. * i0hr Version (note: always 0 for Version Negotiation packets)
  275. * 1i0hrv Destination Connection ID
  276. * i0hrv Source Connection ID
  277. * 1i0h * Packet Number
  278. * i Token
  279. * i0h Length
  280. * r Retry Token
  281. * r Retry Integrity Tag
  282. *
  283. * For each field below, the conditions under which the field is valid are
  284. * specified. If a field is not currently valid, it is initialized to a zero or
  285. * NULL value.
  286. */
  287. typedef struct quic_pkt_hdr_st {
  288. /* [ALL] A QUIC_PKT_TYPE_* value. Always valid. */
  289. unsigned int type :8;
  290. /* [S] Value of the spin bit. Valid if (type == 1RTT). */
  291. unsigned int spin_bit :1;
  292. /*
  293. * [S] Value of the Key Phase bit in the short packet.
  294. * Valid if (type == 1RTT && !partial).
  295. */
  296. unsigned int key_phase :1;
  297. /*
  298. * [1i0h] Length of packet number in bytes. This is the decoded value.
  299. * Valid if ((type == 1RTT || (version && type != RETRY)) && !partial).
  300. */
  301. unsigned int pn_len :4;
  302. /*
  303. * [ALL] Set to 1 if this is a partial decode because the packet header
  304. * has not yet been deprotected. pn_len, pn and key_phase are not valid if
  305. * this is set.
  306. */
  307. unsigned int partial :1;
  308. /*
  309. * [ALL] Whether the fixed bit was set. Note that only Version Negotiation
  310. * packets are allowed to have this unset, so this will always be 1 for all
  311. * other packet types (decode will fail if it is not set). Ignored when
  312. * encoding unless encoding a Version Negotiation packet.
  313. */
  314. unsigned int fixed :1;
  315. /*
  316. * The unused bits in the low 4 bits of a Retry packet header's first byte.
  317. * This is used to ensure that Retry packets have the same bit-for-bit
  318. * representation in their header when decoding and encoding them again.
  319. * This is necessary to validate Retry packet headers.
  320. */
  321. unsigned int unused :4;
  322. /*
  323. * The 'Reserved' bits in an Initial, Handshake, 0-RTT or 1-RTT packet
  324. * header's first byte. These are provided so that the caller can validate
  325. * that they are zero, as this must be done after packet protection is
  326. * successfully removed to avoid creating a timing channel.
  327. */
  328. unsigned int reserved :2;
  329. /* [L] Version field. Valid if (type != 1RTT). */
  330. uint32_t version;
  331. /* [ALL] The destination connection ID. Always valid. */
  332. QUIC_CONN_ID dst_conn_id;
  333. /*
  334. * [L] The source connection ID.
  335. * Valid if (type != 1RTT).
  336. */
  337. QUIC_CONN_ID src_conn_id;
  338. /*
  339. * [1i0h] Relatively-encoded packet number in raw, encoded form. The correct
  340. * decoding of this value is context-dependent. The number of bytes valid in
  341. * this buffer is determined by pn_len above. If the decode was partial,
  342. * this field is not valid.
  343. *
  344. * Valid if ((type == 1RTT || (version && type != RETRY)) && !partial).
  345. */
  346. unsigned char pn[4];
  347. /*
  348. * [i] Token field in Initial packet. Points to memory inside the decoded
  349. * PACKET, and therefore is valid for as long as the PACKET's buffer is
  350. * valid. token_len is the length of the token in bytes.
  351. *
  352. * Valid if (type == INITIAL).
  353. */
  354. const unsigned char *token;
  355. size_t token_len;
  356. /*
  357. * [ALL] Payload length in bytes.
  358. *
  359. * Though 1-RTT, Retry and Version Negotiation packets do not contain an
  360. * explicit length field, this field is always valid and is used by the
  361. * packet header encoding and decoding routines to describe the payload
  362. * length, regardless of whether the packet type encoded or decoded uses an
  363. * explicit length indication.
  364. */
  365. size_t len;
  366. /*
  367. * Pointer to start of payload data in the packet. Points to memory inside
  368. * the decoded PACKET, and therefore is valid for as long as the PACKET'S
  369. * buffer is valid. The length of the buffer in bytes is in len above.
  370. *
  371. * For Version Negotiation packets, points to the array of supported
  372. * versions.
  373. *
  374. * For Retry packets, points to the Retry packet payload, which comprises
  375. * the Retry Token followed by a 16-byte Retry Integrity Tag.
  376. *
  377. * Regardless of whether a packet is a Version Negotiation packet (where the
  378. * payload contains a list of supported versions), a Retry packet (where the
  379. * payload contains a Retry Token and Retry Integrity Tag), or any other
  380. * packet type (where the payload contains frames), the payload is not
  381. * validated and the user must parse the payload bearing this in mind.
  382. *
  383. * If the decode was partial (partial is set), this points to the start of
  384. * the packet number field, rather than the protected payload, as the length
  385. * of the packet number field is unknown. The len field reflects this in
  386. * this case (i.e., the len field is the number of payload bytes plus the
  387. * number of bytes comprising the PN).
  388. */
  389. const unsigned char *data;
  390. } QUIC_PKT_HDR;
  391. /*
  392. * Extra information which can be output by the packet header decode functions
  393. * for the assistance of the header protector. This avoids the header protector
  394. * needing to partially re-decode the packet header.
  395. */
  396. struct quic_pkt_hdr_ptrs_st {
  397. unsigned char *raw_start; /* start of packet */
  398. unsigned char *raw_sample; /* start of sampling range */
  399. size_t raw_sample_len; /* maximum length of sampling range */
  400. /*
  401. * Start of PN field. Guaranteed to be NULL unless at least four bytes are
  402. * available via this pointer.
  403. */
  404. unsigned char *raw_pn;
  405. };
  406. /*
  407. * If partial is 1, reads the unprotected parts of a protected packet header
  408. * from a PACKET, performing a partial decode.
  409. *
  410. * If partial is 0, the input is assumed to have already had header protection
  411. * removed, and all header fields are decoded.
  412. *
  413. * If nodata is 1, the input is assumed to have no payload data in it. Otherwise
  414. * payload data must be present.
  415. *
  416. * On success, the logical decode of the packet header is written to *hdr.
  417. * hdr->partial is set or cleared according to whether a partial decode was
  418. * performed. *ptrs is filled with pointers to various parts of the packet
  419. * buffer.
  420. *
  421. * In order to decode short packets, the connection ID length being used must be
  422. * known contextually, and should be passed as short_conn_id_len. If
  423. * short_conn_id_len is set to an invalid value (a value greater than
  424. * QUIC_MAX_CONN_ID_LEN), this function fails when trying to decode a short
  425. * packet, but succeeds for long packets.
  426. *
  427. * Returns 1 on success and 0 on failure.
  428. */
  429. int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt,
  430. size_t short_conn_id_len,
  431. int partial,
  432. int nodata,
  433. QUIC_PKT_HDR *hdr,
  434. QUIC_PKT_HDR_PTRS *ptrs);
  435. /*
  436. * Encodes a packet header. The packet is written to pkt.
  437. *
  438. * The length of the (encrypted) packet payload should be written to hdr->len
  439. * and will be placed in the serialized packet header. The payload data itself
  440. * is not copied; the caller should write hdr->len bytes of encrypted payload to
  441. * the WPACKET immediately after the call to this function. However,
  442. * WPACKET_reserve_bytes is called for the payload size.
  443. *
  444. * This function does not apply header protection. You must apply header
  445. * protection yourself after calling this function. *ptrs is filled with
  446. * pointers which can be passed to a header protector, but this must be
  447. * performed after the encrypted payload is written.
  448. *
  449. * The pointers in *ptrs are direct pointers into the WPACKET buffer. If more
  450. * data is written to the WPACKET buffer, WPACKET buffer reallocations may
  451. * occur, causing these pointers to become invalid. Therefore, you must not call
  452. * any write WPACKET function between this call and the call to
  453. * ossl_quic_hdr_protector_encrypt. This function calls WPACKET_reserve_bytes
  454. * for the payload length, so you may assume hdr->len bytes are already free to
  455. * write at the WPACKET cursor location once this function returns successfully.
  456. * It is recommended that you call this function, write the encrypted payload,
  457. * call ossl_quic_hdr_protector_encrypt, and then call
  458. * WPACKET_allocate_bytes(hdr->len).
  459. *
  460. * Version Negotiation and Retry packets do not use header protection; for these
  461. * header types, the fields in *ptrs are all written as zero. Version
  462. * Negotiation, Retry and 1-RTT packets do not contain a Length field, but
  463. * hdr->len bytes of data are still reserved in the WPACKET.
  464. *
  465. * If serializing a short packet and short_conn_id_len does not match the DCID
  466. * specified in hdr, the function fails.
  467. *
  468. * Returns 1 on success and 0 on failure.
  469. */
  470. int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt,
  471. size_t short_conn_id_len,
  472. const QUIC_PKT_HDR *hdr,
  473. QUIC_PKT_HDR_PTRS *ptrs);
  474. /*
  475. * Retrieves only the DCID from a packet header. This is intended for demuxer
  476. * use. It avoids the need to parse the rest of the packet header twice.
  477. *
  478. * Information on packet length is not decoded, as this only needs to be used on
  479. * the first packet in a datagram, therefore this takes a buffer and not a
  480. * PACKET.
  481. *
  482. * Returns 1 on success and 0 on failure.
  483. */
  484. int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf,
  485. size_t buf_len,
  486. size_t short_conn_id_len,
  487. QUIC_CONN_ID *dst_conn_id);
  488. /*
  489. * Precisely predicts the encoded length of a packet header structure.
  490. *
  491. * May return 0 if the packet header is not valid, but the fact that this
  492. * function returns non-zero does not guarantee that
  493. * ossl_quic_wire_encode_pkt_hdr() will succeed.
  494. */
  495. int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len,
  496. const QUIC_PKT_HDR *hdr);
  497. /*
  498. * Packet Number Encoding
  499. * ======================
  500. */
  501. /*
  502. * Decode an encoded packet header QUIC PN.
  503. *
  504. * enc_pn is the raw encoded PN to decode. enc_pn_len is its length in bytes as
  505. * indicated by packet headers. largest_pn is the largest PN successfully
  506. * processed in the relevant PN space.
  507. *
  508. * The resulting PN is written to *res_pn.
  509. *
  510. * Returns 1 on success or 0 on failure.
  511. */
  512. int ossl_quic_wire_decode_pkt_hdr_pn(const unsigned char *enc_pn,
  513. size_t enc_pn_len,
  514. QUIC_PN largest_pn,
  515. QUIC_PN *res_pn);
  516. /*
  517. * Determine how many bytes should be used to encode a PN. Returns the number of
  518. * bytes (which will be in range [1, 4]).
  519. */
  520. int ossl_quic_wire_determine_pn_len(QUIC_PN pn, QUIC_PN largest_acked);
  521. /*
  522. * Encode a PN for a packet header using the specified number of bytes, which
  523. * should have been determined by calling ossl_quic_wire_determine_pn_len. The
  524. * PN encoding process is done in two parts to allow the caller to override PN
  525. * encoding length if it wishes.
  526. *
  527. * Returns 1 on success and 0 on failure.
  528. */
  529. int ossl_quic_wire_encode_pkt_hdr_pn(QUIC_PN pn,
  530. unsigned char *enc_pn,
  531. size_t enc_pn_len);
  532. /*
  533. * Retry Integrity Tags
  534. * ====================
  535. */
  536. # define QUIC_RETRY_INTEGRITY_TAG_LEN 16
  537. /*
  538. * Validate a retry integrity tag. Returns 1 if the tag is valid.
  539. *
  540. * Must be called on a hdr with a type of QUIC_PKT_TYPE_RETRY with a valid data
  541. * pointer.
  542. *
  543. * client_initial_dcid must be the original DCID used by the client in its first
  544. * Initial packet, as this is used to calculate the Retry Integrity Tag.
  545. *
  546. * Returns 0 if the tag is invalid, if called on any other type of packet or if
  547. * the body is too short.
  548. */
  549. int ossl_quic_validate_retry_integrity_tag(OSSL_LIB_CTX *libctx,
  550. const char *propq,
  551. const QUIC_PKT_HDR *hdr,
  552. const QUIC_CONN_ID *client_initial_dcid);
  553. /*
  554. * Calculates a retry integrity tag. Returns 0 on error, for example if hdr does
  555. * not have a type of QUIC_PKT_TYPE_RETRY.
  556. *
  557. * client_initial_dcid must be the original DCID used by the client in its first
  558. * Initial packet, as this is used to calculate the Retry Integrity Tag.
  559. *
  560. * tag must point to a buffer of QUIC_RETRY_INTEGRITY_TAG_LEN bytes in size.
  561. *
  562. * Note that hdr->data must point to the Retry packet body, and hdr->len must
  563. * include the space for the Retry Integrity Tag. (This means that you can
  564. * easily fill in a tag in a Retry packet you are generating by calling this
  565. * function and passing (hdr->data + hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN) as
  566. * the tag argument.) This function fails if hdr->len is too short to contain a
  567. * Retry Integrity Tag.
  568. */
  569. int ossl_quic_calculate_retry_integrity_tag(OSSL_LIB_CTX *libctx,
  570. const char *propq,
  571. const QUIC_PKT_HDR *hdr,
  572. const QUIC_CONN_ID *client_initial_dcid,
  573. unsigned char *tag);
  574. # endif
  575. #endif