Add sample Retry packet

draft-ietf-quic-tls.md

@@ -874,8 +874,7 @@ Note:
   that the server received its packet; the client has to rely on the exchange
   that included the Retry packet for that property.
 
-{{test-vectors-initial}} contains test vectors for the initial packet
-encryption.
+{{test-vectors}} contains test vectors for packet encryption.
 
 
 ## AEAD Usage {#aead}
@@ -1778,13 +1777,13 @@ values in the following registries:
 
 --- back
 
-# Sample Initial Packet Protection {#test-vectors-initial}
+# Sample Packet Protection {#test-vectors}
 
-This section shows examples of packet protection for Initial packets so that
-implementations can be verified incrementally.  These packets use an 8-byte
-client-chosen Destination Connection ID of 0x8394c8f03e515708.  Values for both
-server and client packet protection are shown together with values in
-hexadecimal.
+This section shows examples of packet protection so that implementations can be
+verified incrementally. Samples of Initial packets from both client and server,
+plus a Retry packet are defined. These packets use an 8-byte client-chosen
+Destination Connection ID of 0x8394c8f03e515708. Some intermediate values are
+included. All values are shown in hexadecimal.
 
 
 ## Keys
@@ -1851,7 +1850,7 @@ hp  = HKDF-Expand-Label(server_initial_secret, "quic hp", _, 16)
 ~~~
 
 
-## Client Initial
+## Client Initial {#sample-client-initial}
 
 The client sends an Initial packet.  The unprotected payload of this packet
 contains the following CRYPTO frame, plus enough PADDING frames to make a 1162
@@ -1934,6 +1933,7 @@ acde6758312622d4fa675b39f728e062 d2bee680d8f41a597c262648bb18bcfc
 aebe13f98ec51170a4aad0a8324bb768
 ~~~
 
+
 ## Server Initial
 
 The server sends the following payload in response, including an ACK frame, a
@@ -1973,6 +1973,19 @@ cd32f0b5004d9f5754c4f7f2d1f35cf3 f7116351c92b99c8ae5833225cb51855
 ~~~
 
 
+## Retry
+
+This shows a Retry packet that might be sent in response to the Initial packet
+in {{sample-client-initial}}. The integrity check includes the client-chosen
+connection ID value of 0x8394c8f03e515708, but that value is not
+included in the final Retry packet:
+
+~~~
+ffff0000190008f067a5502a4262b574 6f6b656e1e5ec5b014cbb1f0fd93df40
+48c446a6
+~~~
+
+
 # Change Log
 
 > **RFC Editor's Note:** Please remove this section prior to publication of a

initial-protection.js → protection-samples.js

@@ -15,6 +15,8 @@ var SHA256 = 'sha256';
 var AES_GCM = 'aes-128-gcm';
 var AES_ECB = 'aes-128-ecb';
 
+var version = 'ff000019';
+
 function log(m, k) {
   console.log(m + ' [' + k.length + ']: ' + k.toString('hex'));
 };
@@ -252,11 +254,32 @@ function test(role, cid, hdr, pn, body) {
   }
 }
 
-var version = 'ff000019'
+function hex_cid(cid) {
+  return '0' + (cid.length / 2).toString(16) + cid;
+}
+
+function retry(dcid, scid, odcid) {
+  var pfx = Buffer.from(hex_cid(odcid), 'hex');
+  var encoded = Buffer.from('ff' + version + hex_cid(dcid) + hex_cid(scid), 'hex');
+  var token = Buffer.from('token', 'ascii');
+  var header = Buffer.concat([encoded, token]);
+  log('retry header', header);
+  var aad = Buffer.concat([pfx, header]);
+  log('retry aad', aad);
+
+  var key = Buffer.from('4d32ecdb2a2133c841e4043df27d4430', 'hex');
+  var nonce = Buffer.from('4d1611d05513a552c587d575', 'hex');
+
+  var gcm = crypto.createCipheriv(AES_GCM, key, nonce);
+  gcm.setAAD(aad);
+  gcm.update('');
+  gcm.final();
+  log('retry', Buffer.concat([header, gcm.getAuthTag()]));
+}
+
 var cid = '8394c8f03e515708';
 
-var dcidl = '0' + (cid.length / 2).toString(16);
-var ci_hdr = 'c3' + version + dcidl + cid + '0000';
+var ci_hdr = 'c3' + version + hex_cid(cid) + '0000';
 // This is a client Initial.  Unfortunately, the ClientHello currently omits
 // the transport_parameters extension.
 var crypto_frame = '060040c4' +
@@ -277,6 +300,7 @@ var frames = '0d0000000018410a' +
     '690b84d08a60993c144eca684d1081287c834d5311' +
     'bcf32bb9da1a002b00020304';
 var scid = 'f067a5502a4262b5';
-var scidl = '0' + (scid.length / 2).toString(16);
-var si_hdr = 'c1' + version + '00' + scidl + scid + '00';
+var si_hdr = 'c1' + version + '00' + hex_cid(scid) + '00';
 test('server', cid, si_hdr, 1, frames);
+
+retry('', scid, cid);