From 9a7ef222035536493a3a00a1efdbcbdf4a645da6 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Wed, 10 Jun 2020 19:32:32 +1000
Subject: [PATCH 1/3] Make the TLS messages plausible

Here is the breakdown of the ClientHello:

```
060040f1 = CRYPTO offset 0, length 241
010000ed = TLS Handshake length 237
0303 = version: TLS 1.2
ebf8fa56f12939b9584a3896472ec40bb863cfd3e86804fe3a47f06a2b69484c = random
00 = legacy_session_id
0004 13011302 = cipher_suites: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
0100 = legacy_compression_methods: none
00e0 = extensions length 194
0000 0010 000e 00 000b 6578616d706c652e636f6d = server name: example.com
ff01 0001 00 = renegotiation info
000a 0008 0006 001d00170018 = supported groups: 25519, P-256, P-384
0010 0007 000504616c706e = alpn: h3-28
0005 0005 0100000000 = certificate status
0033 0026 0024001d00209370b2c9caa47fbabaf4559fedba753de171fa71f50f1ce15d43e994ec74d748 = key share: 25519
002b 0003 020304 = supported versions: TLS 1.3
000d 0010 000e 0403050306030203080408050806 = signature algorithms: some irrelevant stuff here
002d 0002 0101 = psk modes: psk+dh
001c 0002 4001 = record size limit: max
ffa5 0032 = QUIC transport parameters extension
04 08 ffffffffffffffff = initial_max_data 2^62-1
05 04 8000ffff = initial_max_stream_data_bidi_local 2^16-1
07 04 8000ffff = initial_max_stream_data_uni 2^16-1
08 01 10 = initial_max_streams_bidi 16
01 04 80007530 = max_idle_timeout 30s
09 01 10 = initial_max_streams_uni 16
0f 08 8394c8f03e515708 = initial_source_connection_id
06 04 8000ffff = initial_max_stream_data_bidi_remote 2^16-1
```

The ServerHello was OK, but the framing wasn't.
---
 protection-samples.js | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/protection-samples.js b/protection-samples.js
index 9b8b28a7ba..062f098888 100755
--- a/protection-samples.js
+++ b/protection-samples.js
@@ -337,18 +337,20 @@ var cid = '8394c8f03e515708';
 var ci_hdr = 'c3' + version + hex_cid(cid) + '0000';
 // This is a client Initial.  Unfortunately, the ClientHello currently omits
 // the transport_parameters extension.
-var crypto_frame = '060040c4' +
-    '010000c003036660261ff947cea49cce6cfad687f457cf1b14531ba14131a0e8' +
-    'f309a1d0b9c4000006130113031302010000910000000b000900000673657276' +
-    '6572ff01000100000a00140012001d0017001800190100010101020103010400' +
-    '230000003300260024001d00204cfdfcd178b784bf328cae793b136f2aedce00' +
-    '5ff183d7bb1495207236647037002b0003020304000d0020001e040305030603' +
-    '020308040805080604010501060102010402050206020202002d00020101001c' +
-    '00024001';
+var crypto_frame = '060040f1' +
+    '010000ed0303ebf8fa56f12939b9584a3896472ec40bb863cfd3e86804fe3a47' +
+    'f06a2b69484c00000413011302010000e000000010000e00000b6578616d706c' +
+    '652e636f6dff01000100000a00080006001d0017001800100007000504616c70' +
+    '6e000500050100000000003300260024001d00209370b2c9caa47fbabaf4559f' +
+    'edba753de171fa71f50f1ce15d43e994ec74d748002b0003020304000d001000' +
+    '0e0403050306030203080408050806002d00020101001c00024001ffa5003204' +
+    '08ffffffffffffffff05048000ffff07048000ffff0801100104800075300901' +
+    '100f088394c8f03e51570806048000ffff';
+
 test('client', cid, ci_hdr, 2, crypto_frame);
 
 // This should be a valid server Initial.
-var frames = '0d0000000018410a' +
+var frames = '02000000000600405a' +
     '020000560303eefce7f7b37ba1d163' +
     '2e96677825ddf73988cfc79825df566dc5430b9a04' +
     '5a1200130100002e00330024001d00209d3c940d89' +

From 0b4681671ced10eece12919d3fd4d6eb5950043c Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Wed, 10 Jun 2020 19:39:22 +1000
Subject: [PATCH 2/3] Update samples in the draft based on changed content

---
 draft-ietf-quic-tls.md | 63 +++++++++++++++++++++---------------------
 1 file changed, 32 insertions(+), 31 deletions(-)

diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index 3754dc7c5b..cf06728af0 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -1978,13 +1978,14 @@ contains the following CRYPTO frame, plus enough PADDING frames to make a 1162
 byte payload:
 
 ~~~
-060040c4010000c003036660261ff947 cea49cce6cfad687f457cf1b14531ba1
-4131a0e8f309a1d0b9c4000006130113 031302010000910000000b0009000006
-736572766572ff01000100000a001400 12001d00170018001901000101010201
-03010400230000003300260024001d00 204cfdfcd178b784bf328cae793b136f
-2aedce005ff183d7bb14952072366470 37002b0003020304000d0020001e0403
-05030603020308040805080604010501 060102010402050206020202002d0002
-0101001c00024001
+060040f1010000ed0303ebf8fa56f129 39b9584a3896472ec40bb863cfd3e868
+04fe3a47f06a2b69484c000004130113 02010000e000000010000e00000b6578
+616d706c652e636f6dff01000100000a 00080006001d00170018001000070005
+04616c706e0005000501000000000033 00260024001d00209370b2c9caa47fba
+baf4559fedba753de171fa71f50f1ce1 5d43e994ec74d748002b000302030400
+0d0010000e0403050306030203080408 050806002d00020101001c00024001ff
+a500320408ffffffffffffffff050480 00ffff07048000ffff08011001048000
+75300901100f088394c8f03e51570806 048000ffff
 ~~~
 
 The unprotected header includes the connection ID and a 4 byte packet number
@@ -1999,30 +2000,30 @@ Because the header uses a 4 byte packet number encoding, the first 16 bytes of
 the protected payload is sampled, then applied to the header:
 
 ~~~
-sample = fb66bc5f93032b7ddd89fe0ff15d9c4f
+sample = fb66bc6a93032b50dd8973972d149421
 
 mask = AES-ECB(hp, sample)[0..4]
-     = d64a952459
+     = 1e9cdb9909
 
 header[0] ^= mask[0] & 0x0f
-     = c5
+     = cd
 header[18..21] ^= mask[1..4]
-     = 4a95245b
-header = c5ff00001d088394c8f03e5157080000449e4a95245b
+     = 9cdb990b
+header = cdff00001d088394c8f03e5157080000449e9cdb990b
 ~~~
 
 The resulting protected packet is:
 
 ~~~
-c5ff00001d088394c8f03e5157080000 449e4a95245bfb66bc5f93032b7ddd89
-fe0ff15d9c4f7050fccdb71c1cd80512 d4431643a53aafa1b0b518b44968b18b
-8d3e7a4d04c30b3ed9410325b2abb2da fb1c12f8b70479eb8df98abcaf95dd8f
-3d1c78660fbc719f88b23c8aef6771f3 d50e10fdfb4c9d92386d44481b6c52d5
-9e5538d3d3942de9f13a7f8b702dc317 24180da9df22714d01003fc5e3d165c9
-50e630b8540fbd81c9df0ee63f949970 26c4f2e1887a2def79050ac2d86ba318
-e0b3adc4c5aa18bcf63c7cf8e85f5692 49813a2236a7e72269447cd1c755e451
-f5e77470eb3de64c8849d29282069802 9cfa18e5d66176fe6e5ba4ed18026f90
-900a5b4980e2f58e39151d5cd685b109 29636d4f02e7fad2a5a458249f5c0298
+cdff00001d088394c8f03e5157080000 449e9cdb990bfb66bc6a93032b50dd89
+73972d149421874d3849e3708d71354e a33bcdc356f3ea6e2a1a1bd7c3d14003
+8d3e784d04c30a2cdb40e32523aba2da fe1c1bf3d27a6be38fe38ae033fbb071
+3c1c73661bb6639795b42b97f77068ea d51f11fbf9489af2501d09481e6c64d4
+b8551cd3cea70d830ce2aeeec789ef55 1a7fbe36b3f7e1549a9f8d8e153b3fac
+3fb7b7812c9ed7c20b4be190ebd89956 26e7f0fc887925ec6f0606c5d36aa81b
+ebb7aacdc4a31bb5f23d55faef5c5190 5783384f375a43235b5c742c78ab1bae
+0a188b75efbde6b3774ed61282f9670a 9dea19e1566103ce675ab4e21081fb58
+60340a1e88e4f10e39eae25cd685b109 29636d4f02e7fad2a5a458249f5c0298
 a6d53acbe41a7fc83fa7cc01973f7a74 d1237a51974e097636b6203997f921d0
 7bc1940a6f2d0de9f5a11432946159ed 6cc21df65c4ddd1115f86427259a196c
 7148b25b6478b0dc7766e1c4d1b1f515 9f90eabc61636226244642ee148b464c
@@ -2051,7 +2052,7 @@ edb42d2af89a9c9122b07acbc29e5e72 2df8615c343702491098478a389c9872
 a10b0c9875125e257c7bfdf27eef4060 bd3d00f4c14fd3e3496c38d3c5d1a566
 8c39350effbc2d16ca17be4ce29f02ed 969504dda2a8c6b9ff919e693ee79e09
 089316e7d1d89ec099db3b2b268725d8 88536a4b8bf9aee8fb43e82a4d919d48
-43b1ca70a2d8d3f725ead1391377dcc0
+b99ef35897cc207dea24c7837c4ee261
 ~~~
 
 
@@ -2061,10 +2062,10 @@ The server sends the following payload in response, including an ACK frame, a
 CRYPTO frame, and no PADDING frames:
 
 ~~~
-0d0000000018410a020000560303eefc e7f7b37ba1d1632e96677825ddf73988
-cfc79825df566dc5430b9a045a120013 0100002e00330024001d00209d3c940d
-89690b84d08a60993c144eca684d1081 287c834d5311bcf32bb9da1a002b0002
-0304
+02000000000600405a020000560303ee fce7f7b37ba1d1632e96677825ddf739
+88cfc79825df566dc5430b9a045a1200 130100002e00330024001d00209d3c94
+0d89690b84d08a60993c144eca684d10 81287c834d5311bcf32bb9da1a002b00
+020304
 ~~~
 
 The header from the server includes a new connection ID and a 2-byte packet
@@ -2086,11 +2087,11 @@ header = caff00001d0008f067a5502a4262b5004074aaf2
 The final protected packet is then:
 
 ~~~
-caff00001d0008f067a5502a4262b500 4074aaf2f007823a5d3a1207c86ee491
-32824f0465243d082d868b107a38092b c80528664cbf9456ebf27673fb5fa506
-1ab573c9f001b81da028a00d52ab00b1 5bebaa70640e106cf2acd043e9c6b441
-1c0a79637134d8993701fe779e58c2fe 753d14b0564021565ea92e57bc6faf56
-dfc7a40870e6
+c7ff00001d0008f067a5502a4262b500 4075fb12ff07823a5d24534d906ce4c7
+6782a2167e3479c0f7f6395dc2c91676 302fe6d70bb7cbeb117b4ddb7d173498
+44fd61dae200b8338e1b932976b61d91 e64a02e9e0ee72e3a6f63aba4ceeeec5
+be2f24f2d86027572943533846caa13e 6f163fb257473dcca25396e88724f1e5
+d964dedee9b633
 ~~~
 
 

From ab3d19bde401dd8116b5c90ea5351a893a808ab3 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Thu, 11 Jun 2020 09:09:16 +1000
Subject: [PATCH 3/3] Fix bad extension length

---
 draft-ietf-quic-tls.md | 6 +++---
 protection-samples.js  | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index cf06728af0..7caf0ab72c 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -1979,7 +1979,7 @@ byte payload:
 
 ~~~
 060040f1010000ed0303ebf8fa56f129 39b9584a3896472ec40bb863cfd3e868
-04fe3a47f06a2b69484c000004130113 02010000e000000010000e00000b6578
+04fe3a47f06a2b69484c000004130113 02010000c000000010000e00000b6578
 616d706c652e636f6dff01000100000a 00080006001d00170018001000070005
 04616c706e0005000501000000000033 00260024001d00209370b2c9caa47fba
 baf4559fedba753de171fa71f50f1ce1 5d43e994ec74d748002b000302030400
@@ -2017,7 +2017,7 @@ The resulting protected packet is:
 ~~~
 cdff00001d088394c8f03e5157080000 449e9cdb990bfb66bc6a93032b50dd89
 73972d149421874d3849e3708d71354e a33bcdc356f3ea6e2a1a1bd7c3d14003
-8d3e784d04c30a2cdb40e32523aba2da fe1c1bf3d27a6be38fe38ae033fbb071
+8d3e784d04c30a2cdb40c32523aba2da fe1c1bf3d27a6be38fe38ae033fbb071
 3c1c73661bb6639795b42b97f77068ea d51f11fbf9489af2501d09481e6c64d4
 b8551cd3cea70d830ce2aeeec789ef55 1a7fbe36b3f7e1549a9f8d8e153b3fac
 3fb7b7812c9ed7c20b4be190ebd89956 26e7f0fc887925ec6f0606c5d36aa81b
@@ -2052,7 +2052,7 @@ edb42d2af89a9c9122b07acbc29e5e72 2df8615c343702491098478a389c9872
 a10b0c9875125e257c7bfdf27eef4060 bd3d00f4c14fd3e3496c38d3c5d1a566
 8c39350effbc2d16ca17be4ce29f02ed 969504dda2a8c6b9ff919e693ee79e09
 089316e7d1d89ec099db3b2b268725d8 88536a4b8bf9aee8fb43e82a4d919d48
-b99ef35897cc207dea24c7837c4ee261
+1802771a449b30f3fa2289852607b660
 ~~~
 
 
diff --git a/protection-samples.js b/protection-samples.js
index 062f098888..9bfe17a93c 100755
--- a/protection-samples.js
+++ b/protection-samples.js
@@ -339,7 +339,7 @@ var ci_hdr = 'c3' + version + hex_cid(cid) + '0000';
 // the transport_parameters extension.
 var crypto_frame = '060040f1' +
     '010000ed0303ebf8fa56f12939b9584a3896472ec40bb863cfd3e86804fe3a47' +
-    'f06a2b69484c00000413011302010000e000000010000e00000b6578616d706c' +
+    'f06a2b69484c00000413011302010000c000000010000e00000b6578616d706c' +
     '652e636f6dff01000100000a00080006001d0017001800100007000504616c70' +
     '6e000500050100000000003300260024001d00209370b2c9caa47fbabaf4559f' +
     'edba753de171fa71f50f1ce15d43e994ec74d748002b0003020304000d001000' +