Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 0e25783d47edfc8efeb53a3c1a93aca270af1890 / . / src / quic_tls.c
blob: bd45fcee98486b1f368e413e1c43c70bf9740b20 [file] [log] [blame]
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]1#include <string.h>
2
3#include <openssl/ssl.h>
4
5#if defined(OPENSSL_IS_BORINGSSL)
6#include <openssl/hkdf.h>
7#else
8#include <openssl/evp.h>
9#include <openssl/kdf.h>
10#endif
11
12#include <haproxy/buf.h>
13#include <haproxy/chunk.h>
14//#include <haproxy/quic_tls-t.h>
15#include <haproxy/xprt_quic.h>
16
17
18__attribute__((format (printf, 3, 4)))
19void hexdump(const void *buf, size_t buflen, const char *title_fmt, ...);
20
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]21/* Dump the RX/TX secrets of <secs> QUIC TLS secrets. */
22void quic_tls_keys_hexdump(struct buffer *buf, struct quic_tls_secrets *secs)
23{
24 int i;
25 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(secs->aead);
26 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(secs->aead);
27 size_t hp_len = (size_t)EVP_CIPHER_key_length(secs->hp);
28
29 chunk_appendf(buf, "\n key=");
30 for (i = 0; i < aead_keylen; i++)
31 chunk_appendf(buf, "%02x", secs->key[i]);
32 chunk_appendf(buf, "\n iv=");
33 for (i = 0; i < aead_ivlen; i++)
34 chunk_appendf(buf, "%02x", secs->iv[i]);
35 chunk_appendf(buf, "\n hp=");
36 for (i = 0; i < hp_len; i++)
37 chunk_appendf(buf, "%02x", secs->hp_key[i]);
38}
39
40/* Dump <secret> TLS secret. */
41void quic_tls_secret_hexdump(struct buffer *buf,
42 const unsigned char *secret, size_t secret_len)
43{
44 int i;
45
46 chunk_appendf(buf, " secret=");
47 for (i = 0; i < secret_len; i++)
48 chunk_appendf(buf, "%02x", secret[i]);
49}
50
51#if defined(OPENSSL_IS_BORINGSSL)
52int quic_hkdf_extract(const EVP_MD *md,
53 unsigned char *buf, size_t *buflen,
54 const unsigned char *key, size_t keylen,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]55 const unsigned char *salt, size_t saltlen)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]56{
57 return HKDF_extract(buf, buflen, md, key, keylen, salt, saltlen);
58}
59
60int quic_hkdf_expand(const EVP_MD *md,
61 unsigned char *buf, size_t buflen,
62 const unsigned char *key, size_t keylen,
63 const unsigned char *label, size_t labellen)
64{
65 return HKDF_expand(buf, buflen, md, key, keylen, label, labellen);
66}
67#else
68int quic_hkdf_extract(const EVP_MD *md,
69 unsigned char *buf, size_t *buflen,
70 const unsigned char *key, size_t keylen,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]71 const unsigned char *salt, size_t saltlen)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]72{
73 EVP_PKEY_CTX *ctx;
74
75 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
76 if (!ctx)
77 return 0;
78
79 if (EVP_PKEY_derive_init(ctx) <= 0 ||
80 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0 ||
81 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
82 EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 ||
83 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
84 EVP_PKEY_derive(ctx, buf, buflen) <= 0)
85 goto err;
86
87 EVP_PKEY_CTX_free(ctx);
88 return 1;
89
90 err:
91 EVP_PKEY_CTX_free(ctx);
92 return 0;
93}
94
95int quic_hkdf_expand(const EVP_MD *md,
96 unsigned char *buf, size_t buflen,
97 const unsigned char *key, size_t keylen,
98 const unsigned char *label, size_t labellen)
99{
100 EVP_PKEY_CTX *ctx;
101
102 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
103 if (!ctx)
104 return 0;
105
106 if (EVP_PKEY_derive_init(ctx) <= 0 ||
107 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 ||
108 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
109 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
110 EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 ||
111 EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
112 goto err;
113
114 EVP_PKEY_CTX_free(ctx);
115 return 1;
116
117 err:
118 EVP_PKEY_CTX_free(ctx);
119 return 0;
120}
121#endif
122
123/* https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#protection-keys
124 * refers to:
125 *
126 * https://tools.ietf.org/html/rfc8446#section-7.1:
127 * 7.1. Key Schedule
128 *
129 * The key derivation process makes use of the HKDF-Extract and
130 * HKDF-Expand functions as defined for HKDF [RFC5869], as well as the
131 * functions defined below:
132 *
133 * HKDF-Expand-Label(Secret, Label, Context, Length) =
134 * HKDF-Expand(Secret, HkdfLabel, Length)
135 *
136 * Where HkdfLabel is specified as:
137 *
138 * struct {
139 * uint16 length = Length;
140 * opaque label<7..255> = "tls13 " + Label;
141 * opaque context<0..255> = Context;
142 * } HkdfLabel;
143 *
144 * Derive-Secret(Secret, Label, Messages) =
145 * HKDF-Expand-Label(Secret, Label,
146 * Transcript-Hash(Messages), Hash.length)
147 *
148 */
149int quic_hkdf_expand_label(const EVP_MD *md,
150 unsigned char *buf, size_t buflen,
151 const unsigned char *key, size_t keylen,
152 const unsigned char *label, size_t labellen)
153{
154 unsigned char hdkf_label[256], *pos;
155 const unsigned char hdkf_label_label[] = "tls13 ";
156 size_t hdkf_label_label_sz = sizeof hdkf_label_label - 1;
157
158 pos = hdkf_label;
159 *pos++ = buflen >> 8;
160 *pos++ = buflen & 0xff;
161 *pos++ = hdkf_label_label_sz + labellen;
162 memcpy(pos, hdkf_label_label, hdkf_label_label_sz);
163 pos += hdkf_label_label_sz;
164 memcpy(pos, label, labellen);
165 pos += labellen;
166 *pos++ = '\0';
167
168 return quic_hkdf_expand(md, buf, buflen,
169 key, keylen, hdkf_label, pos - hdkf_label);
170}
171
172/*
173 * This function derives two keys from <secret> is <ctx> as TLS cryptographic context.
174 * ->key is the TLS key to be derived to encrypt/decrypt data at TLS level.
175 * ->iv is the initialization vector to be used with ->key.
176 * ->hp_key is the key to be derived for header protection.
177 * Obviouly these keys have the same size becaused derived with the same TLS cryptographic context.
178 */
179int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
180 const EVP_MD *md,
181 unsigned char *key, size_t keylen,
182 unsigned char *iv, size_t ivlen,
183 unsigned char *hp_key, size_t hp_keylen,
184 const unsigned char *secret, size_t secretlen)
185{
186 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(aead);
187 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(aead);
188 size_t hp_len = (size_t)EVP_CIPHER_key_length(hp);
189 const unsigned char key_label[] = "quic key";
190 const unsigned char iv_label[] = "quic iv";
191 const unsigned char hp_key_label[] = "quic hp";
192
193 if (aead_keylen > keylen || aead_ivlen > ivlen || hp_len > hp_keylen)
194 return 0;
195
196 if (!quic_hkdf_expand_label(md, key, aead_keylen, secret, secretlen,
197 key_label, sizeof key_label - 1) ||
198 !quic_hkdf_expand_label(md, iv, aead_ivlen, secret, secretlen,
199 iv_label, sizeof iv_label - 1) ||
200 !quic_hkdf_expand_label(md, hp_key, hp_len, secret, secretlen,
201 hp_key_label, sizeof hp_key_label - 1))
202 return 0;
203
204 return 1;
205}
206
207/*
208 * Derive the initial secret from <secret> and QUIC version dependent salt.
209 * Returns the size of the derived secret if succeeded, 0 if not.
210 */
211int quic_derive_initial_secret(const EVP_MD *md,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]212 const unsigned char *initial_salt, size_t initial_salt_sz,
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]213 unsigned char *initial_secret, size_t initial_secret_sz,
214 const unsigned char *secret, size_t secret_sz)
215{
216 if (!quic_hkdf_extract(md, initial_secret, &initial_secret_sz, secret, secret_sz,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]217 initial_salt, initial_salt_sz))
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]218 return 0;
219
220 return 1;
221}
222
223/*
224 * Derive the client initial secret from the initial secret.
225 * Returns the size of the derived secret if succeeded, 0 if not.
226 */
227int quic_tls_derive_initial_secrets(const EVP_MD *md,
228 unsigned char *rx, size_t rx_sz,
229 unsigned char *tx, size_t tx_sz,
230 const unsigned char *secret, size_t secret_sz,
231 int server)
232{
233 const unsigned char client_label[] = "client in";
234 const unsigned char server_label[] = "server in";
235 const unsigned char *tx_label, *rx_label;
236 size_t rx_label_sz, tx_label_sz;
237
238 if (server) {
239 rx_label = client_label;
240 rx_label_sz = sizeof client_label;
241 tx_label = server_label;
242 tx_label_sz = sizeof server_label;
243 }
244 else {
245 rx_label = server_label;
246 rx_label_sz = sizeof server_label;
247 tx_label = client_label;
248 tx_label_sz = sizeof client_label;
249 }
250
251 if (!quic_hkdf_expand_label(md, rx, rx_sz, secret, secret_sz,
252 rx_label, rx_label_sz - 1) ||
253 !quic_hkdf_expand_label(md, tx, tx_sz, secret, secret_sz,
254 tx_label, tx_label_sz - 1))
255 return 0;
256
257 return 1;
258}
259
260/*
261 * Build an IV into <iv> buffer with <ivlen> as size from <aead_iv> with
262 * <aead_ivlen> as size depending on <pn> packet number.
263 * This is the function which must be called to build an AEAD IV for the AEAD cryptographic algorithm
264 * used to encrypt/decrypt the QUIC packet payloads depending on the packet number <pn>.
265 * This function fails and return 0 only if the two buffer lengths are different, 1 if not.
266 */
267int quic_aead_iv_build(unsigned char *iv, size_t ivlen,
268 unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn)
269{
270 int i;
271 unsigned int shift;
272 unsigned char *pos = iv;
273
274 if (ivlen != aead_ivlen)
275 return 0;
276
277 for (i = 0; i < ivlen - sizeof pn; i++)
278 *pos++ = *aead_iv++;
279
280 /* Only the remaining (sizeof pn) bytes are XOR'ed. */
281 shift = 56;
282 for (i = aead_ivlen - sizeof pn; i < aead_ivlen ; i++, shift -= 8)
283 *pos++ = *aead_iv++ ^ (pn >> shift);
284
285 return 1;
286}
287
288/*
289 * https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#aead
290 *
291 * 5.3. AEAD Usage
292 *
293 * Packets are protected prior to applying header protection (Section 5.4).
294 * The unprotected packet header is part of the associated data (A). When removing
295 * packet protection, an endpoint first removes the header protection.
296 * (...)
297 * These ciphersuites have a 16-byte authentication tag and produce an output 16
298 * bytes larger than their input.
299 * The key and IV for the packet are computed as described in Section 5.1. The nonce,
300 * N, is formed by combining the packet protection IV with the packet number. The 62
301 * bits of the reconstructed QUIC packet number in network byte order are left-padded
302 * with zeros to the size of the IV. The exclusive OR of the padded packet number and
303 * the IV forms the AEAD nonce.
304 *
305 * The associated data, A, for the AEAD is the contents of the QUIC header, starting
306 * from the flags byte in either the short or long header, up to and including the
307 * unprotected packet number.
308 *
309 * The input plaintext, P, for the AEAD is the payload of the QUIC packet, as described
310 * in [QUIC-TRANSPORT].
311 *
312 * The output ciphertext, C, of the AEAD is transmitted in place of P.
313 *
314 * Some AEAD functions have limits for how many packets can be encrypted under the same
315 * key and IV (see for example [AEBounds]). This might be lower than the packet number limit.
316 * An endpoint MUST initiate a key update (Section 6) prior to exceeding any limit set for
317 * the AEAD that is in use.
318 */
319
320int quic_tls_encrypt(unsigned char *buf, size_t len,
321 const unsigned char *aad, size_t aad_len,
322 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
323{
324 EVP_CIPHER_CTX *ctx;
325 int ret, outlen;
326
327 ret = 0;
328 ctx = EVP_CIPHER_CTX_new();
329 if (!ctx)
330 return 0;
331
332 if (!EVP_EncryptInit_ex(ctx, aead, NULL, key, iv) ||
333 !EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
334 !EVP_EncryptUpdate(ctx, buf, &outlen, buf, len) ||
335 !EVP_EncryptFinal_ex(ctx, buf + outlen, &outlen) ||
336 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, buf + len))
337 goto out;
338
339 ret = 1;
340
341 out:
342 EVP_CIPHER_CTX_free(ctx);
343
344 return ret;
345}
346
347int quic_tls_decrypt(unsigned char *buf, size_t len,
348 unsigned char *aad, size_t aad_len,
349 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
350{
351 int ret, outlen;
352 size_t off;
353 EVP_CIPHER_CTX *ctx;
354
355 ret = 0;
356 off = 0;
357 ctx = EVP_CIPHER_CTX_new();
358 if (!ctx)
359 return 0;
360
361 if (!EVP_DecryptInit_ex(ctx, aead, NULL, key, iv) ||
362 !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
363 !EVP_DecryptUpdate(ctx, buf, &outlen, buf, len - QUIC_TLS_TAG_LEN))
364 goto out;
365
366 off += outlen;
367
368 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN,
369 buf + len - QUIC_TLS_TAG_LEN) ||
370 !EVP_DecryptFinal_ex(ctx, buf + off, &outlen))
371 goto out;
372
373 off += outlen;
374
375 ret = off;
376
377 out:
378 EVP_CIPHER_CTX_free(ctx);
379 return ret;
380}