From edff8245c8e4c37b81228ed749c5ec3ee32c90c8 Mon Sep 17 00:00:00 2001
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 25 May 2018 10:22:43 +1000
Subject: [PATCH 1/5] Make the packet number encryption sampling clearer

Fixes #1387.
---
 draft-ietf-quic-tls.md | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index f224290227..62a5993111 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -942,16 +942,28 @@ Packet number protection is applied after packet protection is applied (see
 encryption algorithm.
 
 In sampling the packet ciphertext, the packet number length is assumed to be the
-smaller of the maximum possible packet number encoding (4 octets), or the size
-of the protected packet minus the minimum expansion for the AEAD.  For example,
-the sampled ciphertext for a packet with a short header can be determined by:
+smaller of the maximum possible packet number encoding (4 octets), or the
+remaining space in the packet when the minimum expansion for the AEAD is
+subtracted.  For example, the sampled ciphertext for a packet with a short
+header can be determined by:
 
 ~~~
-sample_offset = min(1 + connection_id_length + 4,
+sample_offset = min(1 + len(connection_id) + 4,
                     packet_length - aead_expansion)
 sample = packet[sample_offset..sample_offset+sample_length]
 ~~~
 
+A packet with a long header is sampled in the same way, noting that multiple
+QUIC packets might be included in the same UDP datagram and that each one is
+handled separately.
+
+~~~
+sample_offset = min(2 + len(destination_connection_id) +
+                      len(source_connection_id) +
+                      len(payload_length) + 4,
+                    packet_length - aead_expansion)
+~~~
+
 To ensure that this process does not sample the packet number, packet number
 protection algorithms MUST NOT sample more ciphertext than the minimum
 expansion of the corresponding AEAD.

From 5b81241afde217913da969b9818988f3015ffd11 Mon Sep 17 00:00:00 2001
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 25 May 2018 10:39:51 +1000
Subject: [PATCH 2/5] Include packet number in the length field for long
 headers

This ensures that the packet number encryption can work because that relies on knowing where the end of the packet is.

This means that packet coalescing in -12 was busted.
---
 draft-ietf-quic-transport.md | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index 0bbe24d707..425bd59f5c 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -280,7 +280,7 @@ keys are established.
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                 Source Connection ID (0/32..144)            ...
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-|                       Payload Length (i)                    ...
+|                           Length (i)                        ...
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                     Packet Number (8/16/32)                   |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -337,10 +337,11 @@ Source Connection ID:
   either 0 octets in length or between 4 and 18 octets. {{connection-id}}
   describes the use of this field in more detail.
 
-Payload Length:
+Length:
 
-: The length of the Payload field in octets, encoded as a variable-length
-  integer ({{integer-encoding}}).
+: The length of the remainder of the packet (that is, the Packet Number and
+  Payload fields) in octets, encoded as a variable-length integer
+  ({{integer-encoding}}).
 
 Packet Number:
 
@@ -373,10 +374,13 @@ The interpretation of the fields and the payload are specific to a version and
 packet type.  Type-specific semantics for this version are described in the
 following sections.
 
-The end of the Payload field (which is also the end of the long header
-packet) is determined by the value of the Payload Length field.
-Senders can sometimes coalesce multiple packets into one UDP datagram.
-See {{packet-coalesce}} for more details.
+The end of the packet is determined by the Length field.  The Length field
+covers the both the Packet Number and Payload fields, both of which are
+confidentiality protected and initially of unknown length.  The size of the
+Payload field is learned once the packet number protection is removed.
+
+Senders can sometimes coalesce multiple packets into one UDP datagram.  See
+{{packet-coalesce}} for more details.
 
 
 ## Short Header
@@ -4568,4 +4572,3 @@ Hamilton, Jana Iyengar, Fedor Kouranov, Charles Krasic, Jo Kulik, Adam Langley,
 Jim Roskind, Robbie Shade, Satyam Shekhar, Cherie Shi, Ian Swett, Raman Tenneti,
 Victor Vasiliev, Antonio Vicente, Patrik Westin, Alyssa Wilk, Dale Worley, Fan
 Yang, Dan Zhang, Daniel Ziegler.
-

From c408ba49093c53bb2c2fcc2b8ec0d7a84175daa8 Mon Sep 17 00:00:00 2001
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 25 May 2018 10:52:35 +1000
Subject: [PATCH 3/5] Missed version

---
 draft-ietf-quic-tls.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index 62a5993111..641248586d 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -958,7 +958,7 @@ QUIC packets might be included in the same UDP datagram and that each one is
 handled separately.
 
 ~~~
-sample_offset = min(2 + len(destination_connection_id) +
+sample_offset = min(6 + len(destination_connection_id) +
                       len(source_connection_id) +
                       len(payload_length) + 4,
                     packet_length - aead_expansion)

From 10df2aba8abf129badd3ebfdc0e74b73de3d0eb4 Mon Sep 17 00:00:00 2001
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 25 May 2018 11:15:01 +1000
Subject: [PATCH 4/5] Rephrase the description of sampled ciphertext

This was missing a few things, which made it confusing.
---
 draft-ietf-quic-tls.md | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index 641248586d..76f7fc5e61 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -941,15 +941,21 @@ Packet number protection is applied after packet protection is applied (see
 {{aead}}).  The ciphertext of the packet is sampled and used as input to an
 encryption algorithm.
 
-In sampling the packet ciphertext, the packet number length is assumed to be the
-smaller of the maximum possible packet number encoding (4 octets), or the
-remaining space in the packet when the minimum expansion for the AEAD is
-subtracted.  For example, the sampled ciphertext for a packet with a short
-header can be determined by:
+In sampling the packet ciphertext, the packet number length is assumed to be
+either 4 octets (its maximum possible encoded length), unless there is
+insufficient space in the packet for sampling.  The sampled ciphertext starts
+after allowing for a 4 octet packet number unless this would cause the sample to
+extend past the end of the packet.  If the sample would extend past the end of
+the packet, the end of the packet is sampled.
+
+For example, the sampled ciphertext for a packet with a short header can be
+determined by:
 
 ~~~
-sample_offset = min(1 + len(connection_id) + 4,
-                    packet_length - aead_expansion)
+sample_offset = 1 + len(connection_id) + 4
+
+if sample_offset + sample_length > packet_length then
+    sample_offset = packet_length - sample_length
 sample = packet[sample_offset..sample_offset+sample_length]
 ~~~
 
@@ -958,10 +964,9 @@ QUIC packets might be included in the same UDP datagram and that each one is
 handled separately.
 
 ~~~
-sample_offset = min(6 + len(destination_connection_id) +
-                      len(source_connection_id) +
-                      len(payload_length) + 4,
-                    packet_length - aead_expansion)
+sample_offset = 6 + len(destination_connection_id) +
+                    len(source_connection_id) +
+                    len(payload_length) + 4
 ~~~
 
 To ensure that this process does not sample the packet number, packet number

From 0cdfe026fef92139f6660897d9218a6a10d1ca19 Mon Sep 17 00:00:00 2001
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 29 May 2018 12:34:08 +1000
Subject: [PATCH 5/5] Remove either

---
 draft-ietf-quic-tls.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index 76f7fc5e61..7dd47f1221 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -942,11 +942,11 @@ Packet number protection is applied after packet protection is applied (see
 encryption algorithm.
 
 In sampling the packet ciphertext, the packet number length is assumed to be
-either 4 octets (its maximum possible encoded length), unless there is
-insufficient space in the packet for sampling.  The sampled ciphertext starts
-after allowing for a 4 octet packet number unless this would cause the sample to
-extend past the end of the packet.  If the sample would extend past the end of
-the packet, the end of the packet is sampled.
+4 octets (its maximum possible encoded length), unless there is insufficient
+space in the packet for sampling.  The sampled ciphertext starts after allowing
+for a 4 octet packet number unless this would cause the sample to extend past
+the end of the packet.  If the sample would extend past the end of the packet,
+the end of the packet is sampled.
 
 For example, the sampled ciphertext for a packet with a short header can be
 determined by: