From: Amaury Denoyelle Date: Tue, 12 Aug 2025 08:40:06 +0000 (+0200) Subject: MINOR: quic: centralize padding for HP sampling on packet building X-Git-Tag: v3.3-dev8~114 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1529ec1a25cc216f7613517e5e8c936852d18007;p=thirdparty%2Fhaproxy.git MINOR: quic: centralize padding for HP sampling on packet building The below patch has simplified INITIAL padding on emission. Now, qc_prep_pkts() is responsible to activate padding for this case, and there is no more special case in qc_do_build_pkt() needed. commit 8bc339a6ad4702f2c39b2a78aaaff665d85c762b BUG/MAJOR: quic: fix INITIAL padding with probing packet only However, qc_do_build_pkt() may still activate padding on its own, to ensure that a packet is big enough so that header protection decryption can be performed by the peer. HP decryption is performed by extracting a sample from the ciphered packet, starting 4 bytes after PN offset. Sample length is 16 bytes as defined by TLS algos used by QUIC. Thus, a QUIC sender must ensures that length of packet number plus payload fields to be at least 4 bytes long. This is enough given that each packet is completed by a 16 bytes AEAD tag which can be part of the HP sample. This patch simplifies qc_do_build_pkt() by centralizing padding for this case in a single location. This is performed at the end of the function after payload is completed. The code is thus simpler. This is not a bug. However, it may be interesting to backport this patch up to 2.6, as qc_do_build_pkt() is a tedious function, in particular when dealing with padding generation, thus it may benefit greatly from simplification. --- diff --git a/include/haproxy/quic_conn-t.h b/include/haproxy/quic_conn-t.h index a4c294be1..d2a09997a 100644 --- a/include/haproxy/quic_conn-t.h +++ b/include/haproxy/quic_conn-t.h @@ -145,6 +145,9 @@ enum quic_pkt_type { #define QUIC_PACKET_PNL_BITMASK 0x03 #define QUIC_PACKET_PN_MAXLEN 4 +/* TLS algo supported by QUIC uses a 16-bytes sample for HP. */ +#define QUIC_HP_SAMPLE_LEN 16 + /* * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 diff --git a/src/quic_tx.c b/src/quic_tx.c index 695841732..d457bf310 100644 --- a/src/quic_tx.c +++ b/src/quic_tx.c @@ -1950,13 +1950,6 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, add_ping_frm = 1; len += 1; dglen += 1; - - /* Ensure packet is big enough so that header protection sample - * decryption can be performed. Note that +1 is for the PING - * frame. - */ - if (!padding && *pn_len + 1 < QUIC_PACKET_PN_MAXLEN) - len += padding_len = QUIC_PACKET_PN_MAXLEN - *pn_len - 1; } /* Handle Initial packet padding if necessary. */ @@ -1974,14 +1967,29 @@ static int qc_do_build_pkt(unsigned char *pos, const unsigned char *end, } } } - else if (len_frms && len_frms < QUIC_PACKET_PN_MAXLEN) { - len += padding_len = QUIC_PACKET_PN_MAXLEN - len_frms; - } - /* TODO qc_do_build_pkt() must rely on its argument instead of using QEL field. */ - else if (LIST_ISEMPTY(&frm_list) && !cc && !qel->pktns->tx.pto_probe) { - /* If there is no frame at all to follow, add at least a PADDING frame. */ - if (!ack_frm_len) - len += padding_len = QUIC_PACKET_PN_MAXLEN - *pn_len; + + /* RFC 9001 5.4.2. Header Protection Sample + * + * To ensure that sufficient data is available for sampling, packets are + * padded so that the combined lengths of the encoded packet number and + * protected payload is at least 4 bytes longer than the sample required + * for header protection. The cipher suites defined in [TLS13] -- other + * than TLS_AES_128_CCM_8_SHA256, for which a header protection scheme + * is not defined in this document -- have 16-byte expansions and 16- + * byte header protection samples. This results in needing at least 3 + * bytes of frames in the unprotected payload if the packet number is + * encoded on a single byte, or 2 bytes of frames for a 2-byte packet + * number encoding. + */ + + /* Add padding if packet is too small for HP sampling as specified + * above. QUIC TLS algos relies on 16 bytes sample extracted 4 bytes + * after PN offset. Thus, pn and payload must be at least 4 bytes long, + * so that the sample will be extracted as the AEAD tag. + */ + if (*pn_len + len < QUIC_PACKET_PN_MAXLEN + QUIC_HP_SAMPLE_LEN) { + padding_len = QUIC_PACKET_PN_MAXLEN + QUIC_HP_SAMPLE_LEN - (*pn_len + len); + len += padding_len; } if (pkt->type != QUIC_PACKET_TYPE_SHORT && !quic_enc_int(&pos, end, len))