Skip to main content

decrypt_initial

quic_parser

Function decrypt_initial 

Source 
pub fn decrypt_initial(
    packet: &[u8],
    header: &InitialHeader<'_>,
) -> Result<Vec<u8>, Error>
Expand description

Decrypt a QUIC Initial packet payload.

Performs header protection removal (AES-ECB), key derivation (HKDF-SHA256), and AEAD decryption (AES-128-GCM). Supports both QUIC v1 (RFC 9001) and v2 (RFC 9369).

The returned bytes contain the decrypted frames (PADDING, CRYPTO, ACK, etc.).

ยงErrors

Returns Error::UnsupportedVersion if the version is not v1 or v2. Returns Error::DecryptionFailed if any cryptographic operation fails. Returns Error::BufferTooShort if the payload is too short for header protection removal.

Examples found in repository?
examples/decrypt_initial.rs (line 28)
10fn main() {
11	// RFC 9001 Appendix A.2 client Initial packet (complete, 1200 bytes).
12	let packet = rfc9001_client_initial();
13
14	let header = match quic_parser::parse_initial(&packet) {
15		Ok(h) => h,
16		Err(e) => {
17			eprintln!("header parse error: {e}");
18			return;
19		}
20	};
21
22	println!("Parsed header:");
23	println!("  version: {:#010x}", header.version);
24	println!("  dcid:    {}", hex(header.dcid));
25	println!("  scid:    {}", hex(header.scid));
26	println!("  payload: {} bytes", header.payload.len());
27
28	let decrypted = match quic_parser::decrypt_initial(&packet, &header) {
29		Ok(d) => d,
30		Err(e) => {
31			eprintln!("decryption error: {e}");
32			return;
33		}
34	};
35
36	println!("Decrypted {} bytes of frame data", decrypted.len());
37
38	let frames = match quic_parser::parse_crypto_frames(&decrypted) {
39		Ok(f) => f,
40		Err(e) => {
41			eprintln!("frame parse error: {e}");
42			return;
43		}
44	};
45
46	println!("Found {} CRYPTO frame(s)", frames.len());
47	for (i, f) in frames.iter().enumerate() {
48		println!("  frame {i}: offset={}, len={}", f.offset, f.data.len());
49	}
50
51	let stream = quic_parser::reassemble_crypto_stream(&frames);
52	println!("Reassembled crypto stream: {} bytes", stream.len());
53
54	if stream.len() >= 6 {
55		let msg_type = stream[0];
56		let length = u32::from_be_bytes([0, stream[1], stream[2], stream[3]]);
57		let tls_version = u16::from_be_bytes([stream[4], stream[5]]);
58		println!("TLS handshake: type={msg_type:#04x} length={length} version={tls_version:#06x}");
59	}
60}