github.com/apernet/quic-go@v0.43.1-0.20240515053213-5e9e635fd9f0/internal/handshake/retry.go (about)

     1  package handshake
     2  
     3  import (
     4  	"bytes"
     5  	"crypto/aes"
     6  	"crypto/cipher"
     7  	"fmt"
     8  	"sync"
     9  
    10  	"github.com/apernet/quic-go/internal/protocol"
    11  )
    12  
    13  var (
    14  	retryAEADv1 cipher.AEAD // used for QUIC v1 (RFC 9000)
    15  	retryAEADv2 cipher.AEAD // used for QUIC v2 (RFC 9369)
    16  )
    17  
    18  func init() {
    19  	retryAEADv1 = initAEAD([16]byte{0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e})
    20  	retryAEADv2 = initAEAD([16]byte{0x8f, 0xb4, 0xb0, 0x1b, 0x56, 0xac, 0x48, 0xe2, 0x60, 0xfb, 0xcb, 0xce, 0xad, 0x7c, 0xcc, 0x92})
    21  }
    22  
    23  func initAEAD(key [16]byte) cipher.AEAD {
    24  	aes, err := aes.NewCipher(key[:])
    25  	if err != nil {
    26  		panic(err)
    27  	}
    28  	aead, err := cipher.NewGCM(aes)
    29  	if err != nil {
    30  		panic(err)
    31  	}
    32  	return aead
    33  }
    34  
    35  var (
    36  	retryBuf     bytes.Buffer
    37  	retryMutex   sync.Mutex
    38  	retryNonceV1 = [12]byte{0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb}
    39  	retryNonceV2 = [12]byte{0xd8, 0x69, 0x69, 0xbc, 0x2d, 0x7c, 0x6d, 0x99, 0x90, 0xef, 0xb0, 0x4a}
    40  )
    41  
    42  // GetRetryIntegrityTag calculates the integrity tag on a Retry packet
    43  func GetRetryIntegrityTag(retry []byte, origDestConnID protocol.ConnectionID, version protocol.Version) *[16]byte {
    44  	retryMutex.Lock()
    45  	defer retryMutex.Unlock()
    46  
    47  	retryBuf.WriteByte(uint8(origDestConnID.Len()))
    48  	retryBuf.Write(origDestConnID.Bytes())
    49  	retryBuf.Write(retry)
    50  	defer retryBuf.Reset()
    51  
    52  	var tag [16]byte
    53  	var sealed []byte
    54  	if version == protocol.Version2 {
    55  		sealed = retryAEADv2.Seal(tag[:0], retryNonceV2[:], nil, retryBuf.Bytes())
    56  	} else {
    57  		sealed = retryAEADv1.Seal(tag[:0], retryNonceV1[:], nil, retryBuf.Bytes())
    58  	}
    59  	if len(sealed) != 16 {
    60  		panic(fmt.Sprintf("unexpected Retry integrity tag length: %d", len(sealed)))
    61  	}
    62  	return &tag
    63  }