QUIC WIRE: Allow encoding/decoding of reserved header bits

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21135)
openssl · Jul 16, 2023 · 5b9452e · 5b9452e
1 parent 22f21fb
commit 5b9452e
Show file tree

Hide file tree

Showing 5 changed files with 234 additions and 9 deletions.
diff --git a/include/internal/quic_wire_pkt.h b/include/internal/quic_wire_pkt.h
@@ -350,6 +350,14 @@ typedef struct quic_pkt_hdr_st {
      */
     unsigned int    unused      :4;
 
+    /*
+     * The 'Reserved' bits in an Initial, Handshake, 0-RTT or 1-RTT packet
+     * header's first byte. These are provided so that the caller can validate
+     * that they are zero, as this must be done after packet protection is
+     * successfully removed to avoid creating a timing channel.
+     */
+    unsigned int    reserved    :2;
+
     /* [L] Version field. Valid if (type != 1RTT). */
     uint32_t        version;
 

diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c
@@ -1015,6 +1015,7 @@ static int txp_generate_for_el(OSSL_QUIC_TX_PACKETISER *txp, uint32_t enc_level,
     phdr.pn_len         = txp_determine_pn_len(txp);
     phdr.partial        = 0;
     phdr.fixed          = 1;
+    phdr.reserved       = 0;
     phdr.version        = QUIC_VERSION_1;
     phdr.dst_conn_id    = txp->args.cur_dcid;
     phdr.src_conn_id    = txp->args.cur_scid;

diff --git a/ssl/quic/quic_wire_pkt.c b/ssl/quic/quic_wire_pkt.c
@@ -182,8 +182,9 @@ int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt,
         || !PACKET_get_1(pkt, &b0))
         return 0;
 
-    hdr->partial = partial;
-    hdr->unused  = 0;
+    hdr->partial    = partial;
+    hdr->unused     = 0;
+    hdr->reserved   = 0;
 
     if ((b0 & 0x80) == 0) {
         /* Short header. */
@@ -200,9 +201,11 @@ int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt,
         if (partial) {
             hdr->key_phase  = 0; /* protected, zero for now */
             hdr->pn_len     = 0; /* protected, zero for now */
+            hdr->reserved   = 0; /* protected, zero for now */
         } else {
-            hdr->key_phase  = (b0 & 0x4) != 0;
-            hdr->pn_len     = (b0 & 0x3) + 1;
+            hdr->key_phase  = (b0 & 0x04) != 0;
+            hdr->pn_len     = (b0 & 0x03) + 1;
+            hdr->reserved   = (b0 & 0x18) >> 3;
         }
 
         /* Copy destination connection ID field to header structure. */
@@ -368,7 +371,8 @@ int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt,
                 /* Initial, 0-RTT or Handshake packet. */
                 uint64_t len;
 
-                hdr->pn_len = partial ? 0 : (b0 & 3) + 1;
+                hdr->pn_len     = partial ? 0 : ((b0 & 0x03) + 1);
+                hdr->reserved   = partial ? 0 : ((b0 & 0x0C) >> 2);
 
                 if (!PACKET_get_quic_vlint(pkt, &len)
                         || len < sizeof(hdr->pn))
@@ -464,6 +468,7 @@ int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt,
         b0 = (hdr->spin_bit << 5)
              | (hdr->key_phase << 2)
              | (hdr->pn_len - 1)
+             | (hdr->reserved << 3)
              | 0x40; /* fixed bit */
 
         if (!WPACKET_put_bytes_u8(pkt, b0)
@@ -503,8 +508,10 @@ int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt,
         b0 = (raw_type << 4) | 0x80; /* long */
         if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG || hdr->fixed)
             b0 |= 0x40; /* fixed */
-        if (ossl_quic_pkt_type_has_pn(hdr->type))
+        if (ossl_quic_pkt_type_has_pn(hdr->type)) {
             b0 |= hdr->pn_len - 1;
+            b0 |= (hdr->reserved << 2);
+        }
         if (hdr->type == QUIC_PKT_TYPE_RETRY)
             b0 |= hdr->unused;