github.com/sagernet/quic-go@v0.43.1-beta.1/internal/handshake_ech/retry.go (about) 1 package handshake 2 3 import ( 4 "bytes" 5 "crypto/aes" 6 "crypto/cipher" 7 "fmt" 8 "sync" 9 10 "github.com/sagernet/quic-go/internal/protocol" 11 ) 12 13 var ( 14 retryAEADv1 cipher.AEAD // used for QUIC v1 (RFC 9000) 15 retryAEADv2 cipher.AEAD // used for QUIC v2 (RFC 9369) 16 ) 17 18 func init() { 19 retryAEADv1 = initAEAD([16]byte{0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e}) 20 retryAEADv2 = initAEAD([16]byte{0x8f, 0xb4, 0xb0, 0x1b, 0x56, 0xac, 0x48, 0xe2, 0x60, 0xfb, 0xcb, 0xce, 0xad, 0x7c, 0xcc, 0x92}) 21 } 22 23 func initAEAD(key [16]byte) cipher.AEAD { 24 aes, err := aes.NewCipher(key[:]) 25 if err != nil { 26 panic(err) 27 } 28 aead, err := cipher.NewGCM(aes) 29 if err != nil { 30 panic(err) 31 } 32 return aead 33 } 34 35 var ( 36 retryBuf bytes.Buffer 37 retryMutex sync.Mutex 38 retryNonceV1 = [12]byte{0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb} 39 retryNonceV2 = [12]byte{0xd8, 0x69, 0x69, 0xbc, 0x2d, 0x7c, 0x6d, 0x99, 0x90, 0xef, 0xb0, 0x4a} 40 ) 41 42 // GetRetryIntegrityTag calculates the integrity tag on a Retry packet 43 func GetRetryIntegrityTag(retry []byte, origDestConnID protocol.ConnectionID, version protocol.Version) *[16]byte { 44 retryMutex.Lock() 45 defer retryMutex.Unlock() 46 47 retryBuf.WriteByte(uint8(origDestConnID.Len())) 48 retryBuf.Write(origDestConnID.Bytes()) 49 retryBuf.Write(retry) 50 defer retryBuf.Reset() 51 52 var tag [16]byte 53 var sealed []byte 54 if version == protocol.Version2 { 55 sealed = retryAEADv2.Seal(tag[:0], retryNonceV2[:], nil, retryBuf.Bytes()) 56 } else { 57 sealed = retryAEADv1.Seal(tag[:0], retryNonceV1[:], nil, retryBuf.Bytes()) 58 } 59 if len(sealed) != 16 { 60 panic(fmt.Sprintf("unexpected Retry integrity tag length: %d", len(sealed))) 61 } 62 return &tag 63 }