From bd172b2a5af08c65ab7fb926b6891a09cc6f7990 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Wed, 3 Mar 2021 23:01:42 +0800 Subject: [PATCH] fix retry key and nonce for draft-34 --- internal/handshake/retry.go | 28 ++++++++++++++++++++-------- internal/handshake/retry_test.go | 18 ++++++++++++------ internal/testutils/testutils.go | 2 +- server.go | 2 +- server_test.go | 2 +- session.go | 2 +- session_test.go | 2 +- 7 files changed, 37 insertions(+), 19 deletions(-) diff --git a/internal/handshake/retry.go b/internal/handshake/retry.go index 30be193c3..499d9e468 100644 --- a/internal/handshake/retry.go +++ b/internal/handshake/retry.go @@ -10,11 +10,17 @@ import ( "github.com/lucas-clemente/quic-go/internal/protocol" ) -var retryAEAD cipher.AEAD +var ( + oldRetryAEAD cipher.AEAD // used for QUIC draft versions up to 34 + retryAEAD cipher.AEAD // used for QUIC draft-34 +) func init() { - key := [16]byte{0xcc, 0xce, 0x18, 0x7e, 0xd0, 0x9a, 0x09, 0xd0, 0x57, 0x28, 0x15, 0x5a, 0x6c, 0xb9, 0x6b, 0xe1} + oldRetryAEAD = initAEAD([16]byte{0xcc, 0xce, 0x18, 0x7e, 0xd0, 0x9a, 0x09, 0xd0, 0x57, 0x28, 0x15, 0x5a, 0x6c, 0xb9, 0x6b, 0xe1}) + retryAEAD = initAEAD([16]byte{0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e}) +} +func initAEAD(key [16]byte) cipher.AEAD { aes, err := aes.NewCipher(key[:]) if err != nil { panic(err) @@ -23,24 +29,30 @@ func init() { if err != nil { panic(err) } - retryAEAD = aead + return aead } var ( - retryBuf bytes.Buffer - retryMutex sync.Mutex - retryNonce = [12]byte{0xe5, 0x49, 0x30, 0xf9, 0x7f, 0x21, 0x36, 0xf0, 0x53, 0x0a, 0x8c, 0x1c} + retryBuf bytes.Buffer + retryMutex sync.Mutex + oldRetryNonce = [12]byte{0xe5, 0x49, 0x30, 0xf9, 0x7f, 0x21, 0x36, 0xf0, 0x53, 0x0a, 0x8c, 0x1c} + retryNonce = [12]byte{0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb} ) // GetRetryIntegrityTag calculates the integrity tag on a Retry packet -func GetRetryIntegrityTag(retry []byte, origDestConnID protocol.ConnectionID) *[16]byte { +func GetRetryIntegrityTag(retry []byte, origDestConnID protocol.ConnectionID, version protocol.VersionNumber) *[16]byte { retryMutex.Lock() retryBuf.WriteByte(uint8(origDestConnID.Len())) retryBuf.Write(origDestConnID.Bytes()) retryBuf.Write(retry) var tag [16]byte - sealed := retryAEAD.Seal(tag[:0], retryNonce[:], nil, retryBuf.Bytes()) + var sealed []byte + if version != protocol.VersionDraft34 { + sealed = oldRetryAEAD.Seal(tag[:0], oldRetryNonce[:], nil, retryBuf.Bytes()) + } else { + sealed = retryAEAD.Seal(tag[:0], retryNonce[:], nil, retryBuf.Bytes()) + } if len(sealed) != 16 { panic(fmt.Sprintf("unexpected Retry integrity tag length: %d", len(sealed))) } diff --git a/internal/handshake/retry_test.go b/internal/handshake/retry_test.go index 9ea701c4f..86c36c362 100644 --- a/internal/handshake/retry_test.go +++ b/internal/handshake/retry_test.go @@ -9,22 +9,28 @@ import ( var _ = Describe("Retry Integrity Check", func() { It("calculates retry integrity tags", func() { - fooTag := GetRetryIntegrityTag([]byte("foo"), protocol.ConnectionID{1, 2, 3, 4}) - barTag := GetRetryIntegrityTag([]byte("bar"), protocol.ConnectionID{1, 2, 3, 4}) + fooTag := GetRetryIntegrityTag([]byte("foo"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft29) + barTag := GetRetryIntegrityTag([]byte("bar"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft29) Expect(fooTag).ToNot(BeNil()) Expect(barTag).ToNot(BeNil()) Expect(*fooTag).ToNot(Equal(*barTag)) }) It("includes the original connection ID in the tag calculation", func() { - t1 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{1, 2, 3, 4}) - t2 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{4, 3, 2, 1}) + t1 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{1, 2, 3, 4}, protocol.VersionDraft34) + t2 := GetRetryIntegrityTag([]byte("foobar"), protocol.ConnectionID{4, 3, 2, 1}, protocol.VersionDraft34) Expect(*t1).ToNot(Equal(*t2)) }) - It("uses the test vector from the draft", func() { + It("uses the test vector from the draft, for old draft versions", func() { connID := protocol.ConnectionID(splitHexString("0x8394c8f03e515708")) data := splitHexString("ffff00001d0008f067a5502a4262b574 6f6b656ed16926d81f6f9ca2953a8aa4 575e1e49") - Expect(GetRetryIntegrityTag(data[:len(data)-16], connID)[:]).To(Equal(data[len(data)-16:])) + Expect(GetRetryIntegrityTag(data[:len(data)-16], connID, protocol.VersionDraft29)[:]).To(Equal(data[len(data)-16:])) + }) + + It("uses the test vector from the draft, for draft-34", func() { + connID := protocol.ConnectionID(splitHexString("0x8394c8f03e515708")) + data := splitHexString("ff000000010008f067a5502a4262b574 6f6b656e04a265ba2eff4d829058fb3f 0f2496ba") + Expect(GetRetryIntegrityTag(data[:len(data)-16], connID, protocol.VersionDraft34)[:]).To(Equal(data[len(data)-16:])) }) }) diff --git a/internal/testutils/testutils.go b/internal/testutils/testutils.go index 5790c9b8f..51851ad93 100644 --- a/internal/testutils/testutils.go +++ b/internal/testutils/testutils.go @@ -128,5 +128,5 @@ func ComposeRetryPacket( }, } data := writePacket(hdr, nil) - return append(data, handshake.GetRetryIntegrityTag(data, origDestConnID)[:]...) + return append(data, handshake.GetRetryIntegrityTag(data, origDestConnID, version)[:]...) } diff --git a/server.go b/server.go index 9e8ed815f..b839ffb37 100644 --- a/server.go +++ b/server.go @@ -575,7 +575,7 @@ func (s *baseServer) sendRetry(remoteAddr net.Addr, hdr *wire.Header) error { return err } // append the Retry integrity tag - tag := handshake.GetRetryIntegrityTag(buf.Bytes(), hdr.DestConnectionID) + tag := handshake.GetRetryIntegrityTag(buf.Bytes(), hdr.DestConnectionID, hdr.Version) buf.Write(tag[:]) if s.config.Tracer != nil { s.config.Tracer.SentPacket(remoteAddr, &replyHdr.Header, protocol.ByteCount(buf.Len()), nil) diff --git a/server_test.go b/server_test.go index 896d6d7fe..600c56ff8 100644 --- a/server_test.go +++ b/server_test.go @@ -476,7 +476,7 @@ var _ = Describe("Server", func() { Expect(replyHdr.SrcConnectionID).ToNot(Equal(hdr.DestConnectionID)) Expect(replyHdr.DestConnectionID).To(Equal(hdr.SrcConnectionID)) Expect(replyHdr.Token).ToNot(BeEmpty()) - Expect(b[len(b)-16:]).To(Equal(handshake.GetRetryIntegrityTag(b[:len(b)-16], hdr.DestConnectionID)[:])) + Expect(b[len(b)-16:]).To(Equal(handshake.GetRetryIntegrityTag(b[:len(b)-16], hdr.DestConnectionID, hdr.Version)[:])) return len(b), nil }) serv.handlePacket(packet) diff --git a/session.go b/session.go index eb1042994..aca4ee726 100644 --- a/session.go +++ b/session.go @@ -970,7 +970,7 @@ func (s *session) handleRetryPacket(hdr *wire.Header, data []byte) bool /* was t return false } - tag := handshake.GetRetryIntegrityTag(data[:len(data)-16], destConnID) + tag := handshake.GetRetryIntegrityTag(data[:len(data)-16], destConnID, hdr.Version) if !bytes.Equal(data[len(data)-16:], tag[:]) { if s.tracer != nil { s.tracer.DroppedPacket(logging.PacketTypeRetry, protocol.ByteCount(len(data)), logging.PacketDropPayloadDecryptError) diff --git a/session_test.go b/session_test.go index 5e8cb97b7..2287516ca 100644 --- a/session_test.go +++ b/session_test.go @@ -2660,7 +2660,7 @@ var _ = Describe("Client Session", func() { getRetryTag := func(hdr *wire.ExtendedHeader) []byte { buf := &bytes.Buffer{} hdr.Write(buf, sess.version) - return handshake.GetRetryIntegrityTag(buf.Bytes(), origDestConnID)[:] + return handshake.GetRetryIntegrityTag(buf.Bytes(), origDestConnID, hdr.Version)[:] } It("handles Retry packets", func() {