mirror of
https://github.com/refraction-networking/uquic.git
synced 2025-04-03 20:27:35 +03:00
fix retry key and nonce for draft-34
This commit is contained in:
Marten Seemann
parent
2c45f2b11d
commit
bd172b2a5a
7 changed files with 37 additions and 19 deletions
|
|
@ -10,11 +10,17 @@ import (
|
|||
"github.com/lucas-clemente/quic-go/internal/protocol"
|
||||
)
|
||||
|
||||
var retryAEAD cipher.AEAD
|
||||
var (
|
||||
oldRetryAEAD cipher.AEAD // used for QUIC draft versions up to 34
|
||||
retryAEAD cipher.AEAD // used for QUIC draft-34
|
||||
)
|
||||
|
||||
func init() {
|
||||
key := [16]byte{0xcc, 0xce, 0x18, 0x7e, 0xd0, 0x9a, 0x09, 0xd0, 0x57, 0x28, 0x15, 0x5a, 0x6c, 0xb9, 0x6b, 0xe1}
|
||||
oldRetryAEAD = initAEAD([16]byte{0xcc, 0xce, 0x18, 0x7e, 0xd0, 0x9a, 0x09, 0xd0, 0x57, 0x28, 0x15, 0x5a, 0x6c, 0xb9, 0x6b, 0xe1})
|
||||
retryAEAD = initAEAD([16]byte{0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e})
|
||||
}
|
||||
|
||||
func initAEAD(key [16]byte) cipher.AEAD {
|
||||
aes, err := aes.NewCipher(key[:])
|
||||
if err != nil {
|
||||
panic(err)
|
||||
|
|
@ -23,24 +29,30 @@ func init() {
|
|||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
retryAEAD = aead
|
||||
return aead
|
||||
}
|
||||
|
||||
var (
|
||||
retryBuf bytes.Buffer
|
||||
retryMutex sync.Mutex
|
||||
retryNonce = [12]byte{0xe5, 0x49, 0x30, 0xf9, 0x7f, 0x21, 0x36, 0xf0, 0x53, 0x0a, 0x8c, 0x1c}
|
||||
retryBuf bytes.Buffer
|
||||
retryMutex sync.Mutex
|
||||
oldRetryNonce = [12]byte{0xe5, 0x49, 0x30, 0xf9, 0x7f, 0x21, 0x36, 0xf0, 0x53, 0x0a, 0x8c, 0x1c}
|
||||
retryNonce = [12]byte{0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb}
|
||||
)
|
||||
|
||||
// GetRetryIntegrityTag calculates the integrity tag on a Retry packet
|
||||
func GetRetryIntegrityTag(retry []byte, origDestConnID protocol.ConnectionID) *[16]byte {
|
||||
func GetRetryIntegrityTag(retry []byte, origDestConnID protocol.ConnectionID, version protocol.VersionNumber) *[16]byte {
|
||||
retryMutex.Lock()
|
||||
retryBuf.WriteByte(uint8(origDestConnID.Len()))
|
||||
retryBuf.Write(origDestConnID.Bytes())
|
||||
retryBuf.Write(retry)
|
||||
|
||||
var tag [16]byte
|
||||
sealed := retryAEAD.Seal(tag[:0], retryNonce[:], nil, retryBuf.Bytes())
|
||||
var sealed []byte
|
||||
if version != protocol.VersionDraft34 {
|
||||
sealed = oldRetryAEAD.Seal(tag[:0], oldRetryNonce[:], nil, retryBuf.Bytes())
|
||||
} else {
|
||||
sealed = retryAEAD.Seal(tag[:0], retryNonce[:], nil, retryBuf.Bytes())
|
||||
}
|
||||
if len(sealed) != 16 {
|
||||
panic(fmt.Sprintf("unexpected Retry integrity tag length: %d", len(sealed)))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,22 +9,28 @@ import (
|
|||
|
||||
var _ = Describe("Retry Integrity Check", func() {
|
||||
It("calculates retry integrity tags", func() {
|
||||
fooTag := GetRetryIntegrityTag([]byte("foo"), protocol.ConnectionID{1, 2, 3, 4})
|
||||
barTag := GetRetryIntegrityTag([]byte("bar"), protocol.ConnectionID{1, 2, 3, 4})
|
||||
fooTag := GetRetryIntegrityTag([]byte("foo"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft29)
|
||||
barTag := GetRetryIntegrityTag([]byte("bar"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft29)
|
||||
Expect(fooTag).ToNot(BeNil())
|
||||
Expect(barTag).ToNot(BeNil())
|
||||
Expect(*fooTag).ToNot(Equal(*barTag))
|
||||
})
|
||||
|
||||
It("includes the original connection ID in the tag calculation", func() {
|
||||
t1 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{1, 2, 3, 4})
|
||||
t2 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{4, 3, 2, 1})
|
||||
t1 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft34)
|
||||
t2 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{4, 3, 2, 1}, protocol.VersionDraft34)
|
||||
Expect(*t1).ToNot(Equal(*t2))
|
||||
})
|
||||
|
||||
It("uses the test vector from the draft", func() {
|
||||
It("uses the test vector from the draft, for old draft versions", func() {
|
||||
connID := protocol.ConnectionID(splitHexString("0x8394c8f03e515708"))
|
||||
data := splitHexString("ffff00001d0008f067a5502a4262b574 6f6b656ed16926d81f6f9ca2953a8aa4 575e1e49")
|
||||
Expect(GetRetryIntegrityTag(data[:len(data)-16], connID)[:]).To(Equal(data[len(data)-16:]))
|
||||
Expect(GetRetryIntegrityTag(data[:len(data)-16], connID, protocol.VersionDraft29)[:]).To(Equal(data[len(data)-16:]))
|
||||
})
|
||||
|
||||
It("uses the test vector from the draft, for draft-34", func() {
|
||||
connID := protocol.ConnectionID(splitHexString("0x8394c8f03e515708"))
|
||||
data := splitHexString("ff000000010008f067a5502a4262b574 6f6b656e04a265ba2eff4d829058fb3f 0f2496ba")
|
||||
Expect(GetRetryIntegrityTag(data[:len(data)-16], connID, protocol.VersionDraft34)[:]).To(Equal(data[len(data)-16:]))
|
||||
})
|
||||
})
|
||||
|
|
|
|||
|
|
@ -128,5 +128,5 @@ func ComposeRetryPacket(
|
|||
},
|
||||
}
|
||||
data := writePacket(hdr, nil)
|
||||
return append(data, handshake.GetRetryIntegrityTag(data, origDestConnID)[:]...)
|
||||
return append(data, handshake.GetRetryIntegrityTag(data, origDestConnID, version)[:]...)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -575,7 +575,7 @@ func (s *baseServer) sendRetry(remoteAddr net.Addr, hdr *wire.Header) error {
|
|||
return err
|
||||
}
|
||||
// append the Retry integrity tag
|
||||
tag := handshake.GetRetryIntegrityTag(buf.Bytes(), hdr.DestConnectionID)
|
||||
tag := handshake.GetRetryIntegrityTag(buf.Bytes(), hdr.DestConnectionID, hdr.Version)
|
||||
buf.Write(tag[:])
|
||||
if s.config.Tracer != nil {
|
||||
s.config.Tracer.SentPacket(remoteAddr, &replyHdr.Header, protocol.ByteCount(buf.Len()), nil)
|
||||
|
|
|
|||
|
|
@ -476,7 +476,7 @@ var _ = Describe("Server", func() {
|
|||
Expect(replyHdr.SrcConnectionID).ToNot(Equal(hdr.DestConnectionID))
|
||||
Expect(replyHdr.DestConnectionID).To(Equal(hdr.SrcConnectionID))
|
||||
Expect(replyHdr.Token).ToNot(BeEmpty())
|
||||
Expect(b[len(b)-16:]).To(Equal(handshake.GetRetryIntegrityTag(b[:len(b)-16], hdr.DestConnectionID)[:]))
|
||||
Expect(b[len(b)-16:]).To(Equal(handshake.GetRetryIntegrityTag(b[:len(b)-16], hdr.DestConnectionID, hdr.Version)[:]))
|
||||
return len(b), nil
|
||||
})
|
||||
serv.handlePacket(packet)
|
||||
|
|
|
|||
|
|
@ -970,7 +970,7 @@ func (s *session) handleRetryPacket(hdr *wire.Header, data []byte) bool /* was t
|
|||
return false
|
||||
}
|
||||
|
||||
tag := handshake.GetRetryIntegrityTag(data[:len(data)-16], destConnID)
|
||||
tag := handshake.GetRetryIntegrityTag(data[:len(data)-16], destConnID, hdr.Version)
|
||||
if !bytes.Equal(data[len(data)-16:], tag[:]) {
|
||||
if s.tracer != nil {
|
||||
s.tracer.DroppedPacket(logging.PacketTypeRetry, protocol.ByteCount(len(data)), logging.PacketDropPayloadDecryptError)
|
||||
|
|
|
|||
|
|
@ -2660,7 +2660,7 @@ var _ = Describe("Client Session", func() {
|
|||
getRetryTag := func(hdr *wire.ExtendedHeader) []byte {
|
||||
buf := &bytes.Buffer{}
|
||||
hdr.Write(buf, sess.version)
|
||||
return handshake.GetRetryIntegrityTag(buf.Bytes(), origDestConnID)[:]
|
||||
return handshake.GetRetryIntegrityTag(buf.Bytes(), origDestConnID, hdr.Version)[:]
|
||||
}
|
||||
|
||||
It("handles Retry packets", func() {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue