target = "https://www.rfc-editor.org/rfc/rfc9001#section-5.4.1" # 5.4.1. Header Protection Application # # Header protection is applied after packet protection is applied (see # Section 5.3). The ciphertext of the packet is sampled and used as # input to an encryption algorithm. The algorithm used depends on the # negotiated AEAD. # # The output of this algorithm is a 5-byte mask that is applied to the # protected header fields using exclusive OR. The least significant # bits of the first byte of the packet are masked by the least # significant bits of the first mask byte, and the packet number is # masked with the remaining bytes. Any unused bytes of mask that might # result from a shorter packet number encoding are unused. # # Figure 6 shows a sample algorithm for applying header protection. # Removing header protection only differs in the order in which the # packet number length (pn_length) is determined (here "^" is used to # represent exclusive OR). # # mask = header_protection(hp_key, sample) # # pn_length = (packet[0] & 0x03) + 1 # if (packet[0] & 0x80) == 0x80: # # Long header: 4 bits masked # packet[0] ^= mask[0] & 0x0f # else: # # Short header: 5 bits masked # packet[0] ^= mask[0] & 0x1f # # # pn_offset is the start of the Packet Number field. # packet[pn_offset:pn_offset+pn_length] ^= mask[1:1+pn_length] # # Figure 6: Header Protection Pseudocode # # Specific header protection functions are defined based on the # selected cipher suite; see Section 5.4.3 and Section 5.4.4. # # Figure 7 shows an example long header packet (Initial) and a short # header packet (1-RTT). Figure 7 shows the fields in each header that # are covered by header protection and the portion of the protected # packet payload that is sampled. # # Initial Packet { # Header Form (1) = 1, # Fixed Bit (1) = 1, # Long Packet Type (2) = 0, # Reserved Bits (2), # Protected # Packet Number Length (2), # Protected # Version (32), # DCID Len (8), # Destination Connection ID (0..160), # SCID Len (8), # Source Connection ID (0..160), # Token Length (i), # Token (..), # Length (i), # Packet Number (8..32), # Protected # Protected Payload (0..24), # Skipped Part # Protected Payload (128), # Sampled Part # Protected Payload (..) # Remainder # } # # 1-RTT Packet { # Header Form (1) = 0, # Fixed Bit (1) = 1, # Spin Bit (1), # Reserved Bits (2), # Protected # Key Phase (1), # Protected # Packet Number Length (2), # Protected # Destination Connection ID (0..160), # Packet Number (8..32), # Protected # Protected Payload (0..24), # Skipped Part # Protected Payload (128), # Sampled Part # Protected Payload (..), # Remainder # } # # Figure 7: Header Protection and Ciphertext Sample # # Before a TLS cipher suite can be used with QUIC, a header protection # algorithm MUST be specified for the AEAD used with that cipher suite. # This document defines algorithms for AEAD_AES_128_GCM, # AEAD_AES_128_CCM, AEAD_AES_256_GCM (all these AES AEADs are defined # in [AEAD]), and AEAD_CHACHA20_POLY1305 (defined in [CHACHA]). Prior # to TLS selecting a cipher suite, AES header protection is used # (Section 5.4.3), matching the AEAD_AES_128_GCM packet protection. [[spec]] level = "MUST" quote = ''' Before a TLS cipher suite can be used with QUIC, a header protection algorithm MUST be specified for the AEAD used with that cipher suite. '''