2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #ifndef OSSL_QUIC_WIRE_PKT_H
11 # define OSSL_QUIC_WIRE_PKT_H
13 # include <openssl/ssl.h>
14 # include "internal/packet.h"
15 # include "internal/quic_types.h"
17 # define QUIC_VERSION_NONE ((uint32_t)0) /* Used for version negotiation */
18 # define QUIC_VERSION_1 ((uint32_t)1) /* QUIC v1 */
20 /* QUIC logical packet type. These do not match wire values. */
21 # define QUIC_PKT_TYPE_INITIAL 1
22 # define QUIC_PKT_TYPE_0RTT 2
23 # define QUIC_PKT_TYPE_HANDSHAKE 3
24 # define QUIC_PKT_TYPE_RETRY 4
25 # define QUIC_PKT_TYPE_1RTT 5
26 # define QUIC_PKT_TYPE_VERSION_NEG 6
29 * Determine encryption level from packet type. Returns QUIC_ENC_LEVEL_NUM if
30 * the packet is not of a type which is encrypted.
32 static ossl_inline ossl_unused
uint32_t
33 ossl_quic_pkt_type_to_enc_level(uint32_t pkt_type
)
36 case QUIC_PKT_TYPE_INITIAL
:
37 return QUIC_ENC_LEVEL_INITIAL
;
38 case QUIC_PKT_TYPE_HANDSHAKE
:
39 return QUIC_ENC_LEVEL_HANDSHAKE
;
40 case QUIC_PKT_TYPE_0RTT
:
41 return QUIC_ENC_LEVEL_0RTT
;
42 case QUIC_PKT_TYPE_1RTT
:
43 return QUIC_ENC_LEVEL_1RTT
;
45 return QUIC_ENC_LEVEL_NUM
;
49 static ossl_inline ossl_unused
uint32_t
50 ossl_quic_enc_level_to_pkt_type(uint32_t enc_level
)
53 case QUIC_ENC_LEVEL_INITIAL
:
54 return QUIC_PKT_TYPE_INITIAL
;
55 case QUIC_ENC_LEVEL_HANDSHAKE
:
56 return QUIC_PKT_TYPE_HANDSHAKE
;
57 case QUIC_ENC_LEVEL_0RTT
:
58 return QUIC_PKT_TYPE_0RTT
;
59 case QUIC_ENC_LEVEL_1RTT
:
60 return QUIC_PKT_TYPE_1RTT
;
66 /* Determine if a packet type contains an encrypted payload. */
67 static ossl_inline ossl_unused
int
68 ossl_quic_pkt_type_is_encrypted(uint32_t pkt_type
)
71 case QUIC_PKT_TYPE_RETRY
:
72 case QUIC_PKT_TYPE_VERSION_NEG
:
79 /* Determine if a packet type contains a PN field. */
80 static ossl_inline ossl_unused
int
81 ossl_quic_pkt_type_has_pn(uint32_t pkt_type
)
84 * Currently a packet has a PN iff it is encrypted. This could change
87 return ossl_quic_pkt_type_is_encrypted(pkt_type
);
91 * Determine if a packet type can appear with other packets in a datagram. Some
92 * packet types must be the sole packet in a datagram.
94 static ossl_inline ossl_unused
int
95 ossl_quic_pkt_type_can_share_dgram(uint32_t pkt_type
)
98 * Currently only the encrypted packet types can share a datagram. This
99 * could change someday.
101 return ossl_quic_pkt_type_is_encrypted(pkt_type
);
105 * Determine if the packet type must come at the end of the datagram (due to the
106 * lack of a length field).
108 static ossl_inline ossl_unused
int
109 ossl_quic_pkt_type_must_be_last(uint32_t pkt_type
)
112 * Any packet type which cannot share a datagram obviously must come last.
113 * 1-RTT also must come last as it lacks a length field.
115 return !ossl_quic_pkt_type_can_share_dgram(pkt_type
)
116 || pkt_type
== QUIC_PKT_TYPE_1RTT
;
120 * Smallest possible QUIC packet size as per RFC (aside from version negotiation
123 #define QUIC_MIN_VALID_PKT_LEN_CRYPTO 21
124 #define QUIC_MIN_VALID_PKT_LEN_VERSION_NEG 7
125 #define QUIC_MIN_VALID_PKT_LEN QUIC_MIN_VALID_PKT_LEN_VERSION_NEG
127 typedef struct quic_pkt_hdr_ptrs_st QUIC_PKT_HDR_PTRS
;
130 * QUIC Packet Header Protection
131 * =============================
133 * Functions to apply and remove QUIC packet header protection. A header
134 * protector is initialised using ossl_quic_hdr_protector_init and must be
135 * destroyed using ossl_quic_hdr_protector_cleanup when no longer needed.
137 typedef struct quic_hdr_protector_st
{
138 OSSL_LIB_CTX
*libctx
;
140 EVP_CIPHER_CTX
*cipher_ctx
;
143 } QUIC_HDR_PROTECTOR
;
145 # define QUIC_HDR_PROT_CIPHER_AES_128 1
146 # define QUIC_HDR_PROT_CIPHER_AES_256 2
147 # define QUIC_HDR_PROT_CIPHER_CHACHA 3
150 * Initialises a header protector.
153 * The header protection cipher method to use. One of
154 * QUIC_HDR_PROT_CIPHER_*. Must be chosen based on negotiated TLS cipher
158 * This must be the "quic hp" key derived from a traffic secret.
160 * The length of the quic_hp_key must correspond to that expected for the
163 * The header protector performs amortisable initialisation in this function,
164 * therefore a header protector should be used for as long as possible.
166 * Returns 1 on success and 0 on failure.
168 int ossl_quic_hdr_protector_init(QUIC_HDR_PROTECTOR
*hpr
,
169 OSSL_LIB_CTX
*libctx
,
172 const unsigned char *quic_hp_key
,
173 size_t quic_hp_key_len
);
176 * Destroys a header protector. This is also safe to call on a zero-initialized
177 * OSSL_QUIC_HDR_PROTECTOR structure which has not been initialized, or which
178 * has already been destroyed.
180 void ossl_quic_hdr_protector_cleanup(QUIC_HDR_PROTECTOR
*hpr
);
183 * Removes header protection from a packet. The packet payload must currently be
184 * encrypted (i.e., you must remove header protection before decrypting packets
185 * received). The function examines the header buffer to determine which bytes
186 * of the header need to be decrypted.
188 * If this function fails, no data is modified.
190 * This is implemented as a call to ossl_quic_hdr_protector_decrypt_fields().
192 * Returns 1 on success and 0 on failure.
194 int ossl_quic_hdr_protector_decrypt(QUIC_HDR_PROTECTOR
*hpr
,
195 QUIC_PKT_HDR_PTRS
*ptrs
);
198 * Applies header protection to a packet. The packet payload must already have
199 * been encrypted (i.e., you must apply header protection after encrypting
200 * a packet). The function examines the header buffer to determine which bytes
201 * of the header need to be encrypted.
203 * This is implemented as a call to ossl_quic_hdr_protector_encrypt_fields().
205 * Returns 1 on success and 0 on failure.
207 int ossl_quic_hdr_protector_encrypt(QUIC_HDR_PROTECTOR
*hpr
,
208 QUIC_PKT_HDR_PTRS
*ptrs
);
211 * Removes header protection from a packet. The packet payload must currently
212 * be encrypted. This is a low-level function which assumes you have already
213 * determined which parts of the packet header need to be decrypted.
216 * The range of bytes in the packet to be used to generate the header
217 * protection mask. It is permissible to set sample_len to the size of the
218 * remainder of the packet; this function will only use as many bytes as
219 * needed. If not enough sample bytes are provided, this function fails.
222 * The first byte of the QUIC packet header to be decrypted.
225 * Pointer to the start of the PN field. The caller is responsible
226 * for ensuring at least four bytes follow this pointer.
228 * Returns 1 on success and 0 on failure.
230 int ossl_quic_hdr_protector_decrypt_fields(QUIC_HDR_PROTECTOR
*hpr
,
231 const unsigned char *sample
,
233 unsigned char *first_byte
,
234 unsigned char *pn_bytes
);
237 * Works analogously to ossl_hdr_protector_decrypt_fields, but applies header
238 * protection instead of removing it.
240 int ossl_quic_hdr_protector_encrypt_fields(QUIC_HDR_PROTECTOR
*hpr
,
241 const unsigned char *sample
,
243 unsigned char *first_byte
,
244 unsigned char *pn_bytes
);
250 * This structure provides a logical representation of a QUIC packet header.
252 * QUIC packet formats fall into the following categories:
254 * Long Packets, which is subdivided into five possible packet types:
255 * Version Negotiation (a special case);
261 * Short Packets, which comprises only a single packet type (1-RTT).
263 * The packet formats vary and common fields are found in some packets but
264 * not others. The below table indicates which fields are present in which
265 * kinds of packet. * indicates header protection is applied.
267 * SLLLLL Legend: 1=1-RTT, i=Initial, 0=0-RTT, h=Handshake
268 * 1i0hrv r=Retry, v=Version Negotiation
270 * 1i0hrv Header Form (0=Short, 1=Long)
271 * 1i0hr Fixed Bit (always 1)
275 * 1i0h * Packet Number Length
276 * i0hr? Long Packet Type
277 * i0h Type-Specific Bits
278 * i0hr Version (note: always 0 for Version Negotiation packets)
279 * 1i0hrv Destination Connection ID
280 * i0hrv Source Connection ID
281 * 1i0h * Packet Number
285 * r Retry Integrity Tag
287 * For each field below, the conditions under which the field is valid are
288 * specified. If a field is not currently valid, it is initialized to a zero or
291 typedef struct quic_pkt_hdr_st
{
292 /* [ALL] A QUIC_PKT_TYPE_* value. Always valid. */
293 unsigned int type
:8;
295 /* [S] Value of the spin bit. Valid if (type == 1RTT). */
296 unsigned int spin_bit
:1;
299 * [S] Value of the Key Phase bit in the short packet.
300 * Valid if (type == 1RTT && !partial).
302 unsigned int key_phase
:1;
305 * [1i0h] Length of packet number in bytes. This is the decoded value.
306 * Valid if ((type == 1RTT || (version && type != RETRY)) && !partial).
308 unsigned int pn_len
:4;
311 * [ALL] Set to 1 if this is a partial decode because the packet header
312 * has not yet been deprotected. pn_len, pn and key_phase are not valid if
315 unsigned int partial
:1;
318 * [ALL] Whether the fixed bit was set. Note that only Version Negotiation
319 * packets are allowed to have this unset, so this will always be 1 for all
320 * other packet types (decode will fail if it is not set). Ignored when
321 * encoding unless encoding a Version Negotiation packet.
323 unsigned int fixed
:1;
325 /* [L] Version field. Valid if (type != 1RTT). */
328 /* [ALL] The destination connection ID. Always valid. */
329 QUIC_CONN_ID dst_conn_id
;
332 * [L] The source connection ID.
333 * Valid if (type != 1RTT).
335 QUIC_CONN_ID src_conn_id
;
338 * [1i0h] Relatively-encoded packet number in raw, encoded form. The correct
339 * decoding of this value is context-dependent. The number of bytes valid in
340 * this buffer is determined by pn_len above. If the decode was partial,
341 * this field is not valid.
343 * Valid if ((type == 1RTT || (version && type != RETRY)) && !partial).
348 * [i] Token field in Initial packet. Points to memory inside the decoded
349 * PACKET, and therefore is valid for as long as the PACKET's buffer is
350 * valid. token_len is the length of the token in bytes.
352 * Valid if (type == INITIAL).
354 const unsigned char *token
;
358 * [ALL] Payload length in bytes.
360 * Though 1-RTT, Retry and Version Negotiation packets do not contain an
361 * explicit length field, this field is always valid and is used by the
362 * packet header encoding and decoding routines to describe the payload
363 * length, regardless of whether the packet type encoded or decoded uses an
364 * explicit length indication.
369 * Pointer to start of payload data in the packet. Points to memory inside
370 * the decoded PACKET, and therefore is valid for as long as the PACKET'S
371 * buffer is valid. The length of the buffer in bytes is in len above.
373 * For Version Negotiation packets, points to the array of supported
376 * For Retry packets, points to the Retry packet payload, which comprises
377 * the Retry Token followed by a 16-byte Retry Integrity Tag.
379 * Regardless of whether a packet is a Version Negotiation packet (where the
380 * payload contains a list of supported versions), a Retry packet (where the
381 * payload contains a Retry Token and Retry Integrity Tag), or any other
382 * packet type (where the payload contains frames), the payload is not
383 * validated and the user must parse the payload bearing this in mind.
385 * If the decode was partial (partial is set), this points to the start of
386 * the packet number field, rather than the protected payload, as the length
387 * of the packet number field is unknown. The len field reflects this in
388 * this case (i.e., the len field is the number of payload bytes plus the
389 * number of bytes comprising the PN).
391 const unsigned char *data
;
395 * Extra information which can be output by the packet header decode functions
396 * for the assistance of the header protector. This avoids the header protector
397 * needing to partially re-decode the packet header.
399 struct quic_pkt_hdr_ptrs_st
{
400 unsigned char *raw_start
; /* start of packet */
401 unsigned char *raw_sample
; /* start of sampling range */
402 size_t raw_sample_len
; /* maximum length of sampling range */
405 * Start of PN field. Guaranteed to be NULL unless at least four bytes are
406 * available via this pointer.
408 unsigned char *raw_pn
;
412 * If partial is 1, reads the unprotected parts of a protected packet header
413 * from a PACKET, performing a partial decode.
415 * If partial is 0, the input is assumed to have already had header protection
416 * removed, and all header fields are decoded.
418 * On success, the logical decode of the packet header is written to *hdr.
419 * hdr->partial is set or cleared according to whether a partial decode was
420 * performed. *ptrs is filled with pointers to various parts of the packet
423 * In order to decode short packets, the connection ID length being used must be
424 * known contextually, and should be passed as short_conn_id_len. If
425 * short_conn_id_len is set to an invalid value (a value greater than
426 * QUIC_MAX_CONN_ID_LEN), this function fails when trying to decode a short
427 * packet, but succeeds for long packets.
429 * Returns 1 on success and 0 on failure.
431 int ossl_quic_wire_decode_pkt_hdr(PACKET
*pkt
,
432 size_t short_conn_id_len
,
435 QUIC_PKT_HDR_PTRS
*ptrs
);
438 * Encodes a packet header. The packet is written to pkt.
440 * The length of the (encrypted) packet payload should be written to hdr->len
441 * and will be placed in the serialized packet header. The payload data itself
442 * is not copied; the caller should write hdr->len bytes of encrypted payload to
443 * the WPACKET immediately after the call to this function. However,
444 * WPACKET_reserve_bytes is called for the payload size.
446 * This function does not apply header protection. You must apply header
447 * protection yourself after calling this function. *ptrs is filled with
448 * pointers which can be passed to a header protector, but this must be
449 * performed after the encrypted payload is written.
451 * The pointers in *ptrs are direct pointers into the WPACKET buffer. If more
452 * data is written to the WPACKET buffer, WPACKET buffer reallocations may
453 * occur, causing these pointers to become invalid. Therefore, you must not call
454 * any write WPACKET function between this call and the call to
455 * ossl_quic_hdr_protector_encrypt. This function calls WPACKET_reserve_bytes
456 * for the payload length, so you may assume hdr->len bytes are already free to
457 * write at the WPACKET cursor location once this function returns successfully.
458 * It is recommended that you call this function, write the encrypted payload,
459 * call ossl_quic_hdr_protector_encrypt, and then call
460 * WPACKET_allocate_bytes(hdr->len).
462 * Version Negotiation and Retry packets do not use header protection; for these
463 * header types, the fields in *ptrs are all written as zero. Version
464 * Negotiation, Retry and 1-RTT packets do not contain a Length field, but
465 * hdr->len bytes of data are still reserved in the WPACKET.
467 * If serializing a short packet and short_conn_id_len does not match the DCID
468 * specified in hdr, the function fails.
470 * Returns 1 on success and 0 on failure.
472 int ossl_quic_wire_encode_pkt_hdr(WPACKET
*pkt
,
473 size_t short_conn_id_len
,
474 const QUIC_PKT_HDR
*hdr
,
475 QUIC_PKT_HDR_PTRS
*ptrs
);
478 * Retrieves only the DCID from a packet header. This is intended for demuxer
479 * use. It avoids the need to parse the rest of the packet header twice.
481 * Information on packet length is not decoded, as this only needs to be used on
482 * the first packet in a datagram, therefore this takes a buffer and not a
485 * Returns 1 on success and 0 on failure.
487 int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf
,
489 size_t short_conn_id_len
,
490 QUIC_CONN_ID
*dst_conn_id
);
493 * Precisely predicts the encoded length of a packet header structure.
495 * May return 0 if the packet header is not valid, but the fact that this
496 * function returns non-zero does not guarantee that
497 * ossl_quic_wire_encode_pkt_hdr() will succeed.
499 int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len
,
500 const QUIC_PKT_HDR
*hdr
);
503 * Packet Number Encoding
504 * ======================
508 * Decode an encoded packet header QUIC PN.
510 * enc_pn is the raw encoded PN to decode. enc_pn_len is its length in bytes as
511 * indicated by packet headers. largest_pn is the largest PN successfully
512 * processed in the relevant PN space.
514 * The resulting PN is written to *res_pn.
516 * Returns 1 on success or 0 on failure.
518 int ossl_quic_wire_decode_pkt_hdr_pn(const unsigned char *enc_pn
,
524 * Determine how many bytes should be used to encode a PN. Returns the number of
525 * bytes (which will be in range [1, 4]).
527 int ossl_quic_wire_determine_pn_len(QUIC_PN pn
, QUIC_PN largest_acked
);
530 * Encode a PN for a packet header using the specified number of bytes, which
531 * should have been determined by calling ossl_quic_wire_determine_pn_len. The
532 * PN encoding process is done in two parts to allow the caller to override PN
533 * encoding length if it wishes.
535 * Returns 1 on success and 0 on failure.
537 int ossl_quic_wire_encode_pkt_hdr_pn(QUIC_PN pn
,
538 unsigned char *enc_pn
,