* address, with <payload_len> as payload length, <aad> as address of
* the ADD and <aad_len> as AAD length depending on the <tls_ctx> QUIC TLS
* context.
- * Returns 1 if succeeded, 0 if not.
+ *
+ * TODO no error is expected as encryption is done in place but encryption
+ * manual is unclear. <fail> will be set to true if an error is detected.
*/
-static int quic_packet_encrypt(unsigned char *payload, size_t payload_len,
- unsigned char *aad, size_t aad_len, uint64_t pn,
- struct quic_tls_ctx *tls_ctx, struct quic_conn *qc)
+static void quic_packet_encrypt(unsigned char *payload, size_t payload_len,
+ unsigned char *aad, size_t aad_len, uint64_t pn,
+ struct quic_tls_ctx *tls_ctx, struct quic_conn *qc,
+ int *fail)
{
- int ret = 0;
unsigned char iv[QUIC_TLS_IV_LEN];
unsigned char *tx_iv = tls_ctx->tx.iv;
size_t tx_iv_sz = tls_ctx->tx.ivlen;
struct enc_debug_info edi;
TRACE_ENTER(QUIC_EV_CONN_ENCPKT, qc);
+ *fail = 0;
quic_aead_iv_build(iv, sizeof iv, tx_iv, tx_iv_sz, pn);
if (!quic_tls_encrypt(payload, payload_len, aad, aad_len,
tls_ctx->tx.ctx, tls_ctx->tx.aead, tls_ctx->tx.key, iv)) {
TRACE_ERROR("QUIC packet encryption failed", QUIC_EV_CONN_ENCPKT, qc);
- goto err;
+ *fail = 1;
+ enc_debug_info_init(&edi, payload, payload_len, aad, aad_len, pn);
}
- ret = 1;
- leave:
TRACE_LEAVE(QUIC_EV_CONN_ENCPKT, qc);
- return ret;
-
- err:
- enc_debug_info_init(&edi, payload, payload_len, aad, aad_len, pn);
- goto leave;
}
/* Select the correct TLS cipher context to used to decipher <pkt> packet
/* Apply QUIC header protection to the packet with <pos> as first byte address,
* <pn> as address of the Packet number field, <pnlen> being this field length
* with <aead> as AEAD cipher and <key> as secret key.
- * Returns 1 if succeeded or 0 if failed.
+ *
+ * TODO no error is expected as encryption is done in place but encryption
+ * manual is unclear. <fail> will be set to true if an error is detected.
*/
-static int quic_apply_header_protection(struct quic_conn *qc, unsigned char *pos,
+void quic_apply_header_protection(struct quic_conn *qc, unsigned char *pos,
unsigned char *pn, size_t pnlen,
- struct quic_tls_ctx *tls_ctx)
+ struct quic_tls_ctx *tls_ctx, int *fail)
{
- int i, ret = 0;
+ int i;
/* We need an IV of at least 5 bytes: one byte for bytes #0
* and at most 4 bytes for the packet number
*/
TRACE_ENTER(QUIC_EV_CONN_TXPKT, qc);
+ *fail = 0;
+
if (!quic_tls_aes_encrypt(mask, pn + QUIC_PACKET_PN_MAXLEN, sizeof mask, aes_ctx)) {
TRACE_ERROR("could not apply header protection", QUIC_EV_CONN_TXPKT, qc);
+ *fail = 1;
goto out;
}
for (i = 0; i < pnlen; i++)
pn[i] ^= mask[i + 1];
- ret = 1;
out:
TRACE_LEAVE(QUIC_EV_CONN_TXPKT, qc);
- return ret;
}
/* Prepare into <outlist> as most as possible ack-eliciting frame from their
int64_t pn;
size_t pn_len, payload_len, aad_len;
struct quic_tx_packet *pkt;
+ int encrypt_failure = 0;
TRACE_ENTER(QUIC_EV_CONN_TXPKT, qc);
TRACE_PROTO("TX pkt build", QUIC_EV_CONN_TXPKT, qc, NULL, qel);
payload_len = last_byte - payload;
aad_len = payload - first_byte;
- if (!quic_packet_encrypt(payload, payload_len, first_byte, aad_len, pn, tls_ctx, qc)) {
- // trace already emitted by function above
+ quic_packet_encrypt(payload, payload_len, first_byte, aad_len, pn, tls_ctx, qc, &encrypt_failure);
+ if (encrypt_failure) {
+ /* TODO Unrecoverable failure, what to do of unencrypted input data ? */
+ WARN_ON("quic_packet_encrypt failure");
*err = -2;
goto err;
}
last_byte += QUIC_TLS_TAG_LEN;
pkt->len += QUIC_TLS_TAG_LEN;
- if (!quic_apply_header_protection(qc, first_byte, buf_pn, pn_len, tls_ctx)) {
- // trace already emitted by function above
+ quic_apply_header_protection(qc, first_byte, buf_pn, pn_len, tls_ctx, &encrypt_failure);
+ if (encrypt_failure) {
+ /* TODO Unrecoverable failure, what to do of unencrypted input data ? */
+ WARN_ON("quic_apply_header_protection failure");
*err = -2;
goto err;
}
projects / thirdparty / haproxy.git / commitdiff
