Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1ac95445e62b9c4e9b8d99d8975ffe378a89d301 / . / src / quic_tls.c
blob: fcb80a34f90cbdad56c729b618501882073e36eb [file] [log] [blame]
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]1#include <string.h>
2
3#include <openssl/ssl.h>
4
5#if defined(OPENSSL_IS_BORINGSSL)
6#include <openssl/hkdf.h>
7#else
8#include <openssl/evp.h>
9#include <openssl/kdf.h>
10#endif
11
12#include <haproxy/buf.h>
13#include <haproxy/chunk.h>
14//#include <haproxy/quic_tls-t.h>
15#include <haproxy/xprt_quic.h>
16
17
Frédéric Lécaillefc768ec2021-11-23 21:02:04 +0100[diff] [blame]18DECLARE_POOL(pool_head_quic_tls_secret, "quic_tls_secret", QUIC_TLS_SECRET_LEN);
19DECLARE_POOL(pool_head_quic_tls_iv, "quic_tls_iv", QUIC_TLS_IV_LEN);
20DECLARE_POOL(pool_head_quic_tls_key, "quic_tls_key", QUIC_TLS_KEY_LEN);
21
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]22__attribute__((format (printf, 3, 4)))
23void hexdump(const void *buf, size_t buflen, const char *title_fmt, ...);
24
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]25/* Dump the RX/TX secrets of <secs> QUIC TLS secrets. */
26void quic_tls_keys_hexdump(struct buffer *buf, struct quic_tls_secrets *secs)
27{
28 int i;
29 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(secs->aead);
30 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(secs->aead);
31 size_t hp_len = (size_t)EVP_CIPHER_key_length(secs->hp);
32
33 chunk_appendf(buf, "\n key=");
34 for (i = 0; i < aead_keylen; i++)
35 chunk_appendf(buf, "%02x", secs->key[i]);
36 chunk_appendf(buf, "\n iv=");
37 for (i = 0; i < aead_ivlen; i++)
38 chunk_appendf(buf, "%02x", secs->iv[i]);
39 chunk_appendf(buf, "\n hp=");
40 for (i = 0; i < hp_len; i++)
41 chunk_appendf(buf, "%02x", secs->hp_key[i]);
42}
43
44/* Dump <secret> TLS secret. */
45void quic_tls_secret_hexdump(struct buffer *buf,
46 const unsigned char *secret, size_t secret_len)
47{
48 int i;
49
50 chunk_appendf(buf, " secret=");
51 for (i = 0; i < secret_len; i++)
52 chunk_appendf(buf, "%02x", secret[i]);
53}
54
55#if defined(OPENSSL_IS_BORINGSSL)
56int quic_hkdf_extract(const EVP_MD *md,
57 unsigned char *buf, size_t *buflen,
58 const unsigned char *key, size_t keylen,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]59 const unsigned char *salt, size_t saltlen)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]60{
61 return HKDF_extract(buf, buflen, md, key, keylen, salt, saltlen);
62}
63
64int quic_hkdf_expand(const EVP_MD *md,
65 unsigned char *buf, size_t buflen,
66 const unsigned char *key, size_t keylen,
67 const unsigned char *label, size_t labellen)
68{
69 return HKDF_expand(buf, buflen, md, key, keylen, label, labellen);
70}
71#else
72int quic_hkdf_extract(const EVP_MD *md,
73 unsigned char *buf, size_t *buflen,
74 const unsigned char *key, size_t keylen,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]75 const unsigned char *salt, size_t saltlen)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]76{
77 EVP_PKEY_CTX *ctx;
78
79 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
80 if (!ctx)
81 return 0;
82
83 if (EVP_PKEY_derive_init(ctx) <= 0 ||
84 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0 ||
85 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
86 EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 ||
87 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
88 EVP_PKEY_derive(ctx, buf, buflen) <= 0)
89 goto err;
90
91 EVP_PKEY_CTX_free(ctx);
92 return 1;
93
94 err:
95 EVP_PKEY_CTX_free(ctx);
96 return 0;
97}
98
99int quic_hkdf_expand(const EVP_MD *md,
100 unsigned char *buf, size_t buflen,
101 const unsigned char *key, size_t keylen,
102 const unsigned char *label, size_t labellen)
103{
104 EVP_PKEY_CTX *ctx;
105
106 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
107 if (!ctx)
108 return 0;
109
110 if (EVP_PKEY_derive_init(ctx) <= 0 ||
111 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 ||
112 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
113 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
114 EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 ||
115 EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
116 goto err;
117
118 EVP_PKEY_CTX_free(ctx);
119 return 1;
120
121 err:
122 EVP_PKEY_CTX_free(ctx);
123 return 0;
124}
125#endif
126
127/* https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#protection-keys
128 * refers to:
129 *
130 * https://tools.ietf.org/html/rfc8446#section-7.1:
131 * 7.1. Key Schedule
132 *
133 * The key derivation process makes use of the HKDF-Extract and
134 * HKDF-Expand functions as defined for HKDF [RFC5869], as well as the
135 * functions defined below:
136 *
137 * HKDF-Expand-Label(Secret, Label, Context, Length) =
138 * HKDF-Expand(Secret, HkdfLabel, Length)
139 *
140 * Where HkdfLabel is specified as:
141 *
142 * struct {
143 * uint16 length = Length;
144 * opaque label<7..255> = "tls13 " + Label;
145 * opaque context<0..255> = Context;
146 * } HkdfLabel;
147 *
148 * Derive-Secret(Secret, Label, Messages) =
149 * HKDF-Expand-Label(Secret, Label,
150 * Transcript-Hash(Messages), Hash.length)
151 *
152 */
153int quic_hkdf_expand_label(const EVP_MD *md,
154 unsigned char *buf, size_t buflen,
155 const unsigned char *key, size_t keylen,
156 const unsigned char *label, size_t labellen)
157{
158 unsigned char hdkf_label[256], *pos;
159 const unsigned char hdkf_label_label[] = "tls13 ";
160 size_t hdkf_label_label_sz = sizeof hdkf_label_label - 1;
161
162 pos = hdkf_label;
163 *pos++ = buflen >> 8;
164 *pos++ = buflen & 0xff;
165 *pos++ = hdkf_label_label_sz + labellen;
166 memcpy(pos, hdkf_label_label, hdkf_label_label_sz);
167 pos += hdkf_label_label_sz;
168 memcpy(pos, label, labellen);
169 pos += labellen;
170 *pos++ = '\0';
171
172 return quic_hkdf_expand(md, buf, buflen,
173 key, keylen, hdkf_label, pos - hdkf_label);
174}
175
176/*
177 * This function derives two keys from <secret> is <ctx> as TLS cryptographic context.
178 * ->key is the TLS key to be derived to encrypt/decrypt data at TLS level.
179 * ->iv is the initialization vector to be used with ->key.
180 * ->hp_key is the key to be derived for header protection.
181 * Obviouly these keys have the same size becaused derived with the same TLS cryptographic context.
182 */
183int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
184 const EVP_MD *md,
185 unsigned char *key, size_t keylen,
186 unsigned char *iv, size_t ivlen,
187 unsigned char *hp_key, size_t hp_keylen,
188 const unsigned char *secret, size_t secretlen)
189{
190 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(aead);
191 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(aead);
Frédéric Lécaille6e351d62021-11-30 11:06:41 +0100[diff] [blame]192 size_t hp_len = hp ? (size_t)EVP_CIPHER_key_length(hp) : 0;
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]193 const unsigned char key_label[] = "quic key";
194 const unsigned char iv_label[] = "quic iv";
195 const unsigned char hp_key_label[] = "quic hp";
196
197 if (aead_keylen > keylen || aead_ivlen > ivlen || hp_len > hp_keylen)
198 return 0;
199
200 if (!quic_hkdf_expand_label(md, key, aead_keylen, secret, secretlen,
201 key_label, sizeof key_label - 1) ||
202 !quic_hkdf_expand_label(md, iv, aead_ivlen, secret, secretlen,
203 iv_label, sizeof iv_label - 1) ||
Frédéric Lécaille6e351d62021-11-30 11:06:41 +0100[diff] [blame]204 (hp_key && !quic_hkdf_expand_label(md, hp_key, hp_len, secret, secretlen,
205 hp_key_label, sizeof hp_key_label - 1)))
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]206 return 0;
207
208 return 1;
209}
210
211/*
212 * Derive the initial secret from <secret> and QUIC version dependent salt.
213 * Returns the size of the derived secret if succeeded, 0 if not.
214 */
215int quic_derive_initial_secret(const EVP_MD *md,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]216 const unsigned char *initial_salt, size_t initial_salt_sz,
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]217 unsigned char *initial_secret, size_t initial_secret_sz,
218 const unsigned char *secret, size_t secret_sz)
219{
220 if (!quic_hkdf_extract(md, initial_secret, &initial_secret_sz, secret, secret_sz,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]221 initial_salt, initial_salt_sz))
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]222 return 0;
223
224 return 1;
225}
226
227/*
228 * Derive the client initial secret from the initial secret.
229 * Returns the size of the derived secret if succeeded, 0 if not.
230 */
231int quic_tls_derive_initial_secrets(const EVP_MD *md,
232 unsigned char *rx, size_t rx_sz,
233 unsigned char *tx, size_t tx_sz,
234 const unsigned char *secret, size_t secret_sz,
235 int server)
236{
237 const unsigned char client_label[] = "client in";
238 const unsigned char server_label[] = "server in";
239 const unsigned char *tx_label, *rx_label;
240 size_t rx_label_sz, tx_label_sz;
241
242 if (server) {
243 rx_label = client_label;
244 rx_label_sz = sizeof client_label;
245 tx_label = server_label;
246 tx_label_sz = sizeof server_label;
247 }
248 else {
249 rx_label = server_label;
250 rx_label_sz = sizeof server_label;
251 tx_label = client_label;
252 tx_label_sz = sizeof client_label;
253 }
254
255 if (!quic_hkdf_expand_label(md, rx, rx_sz, secret, secret_sz,
256 rx_label, rx_label_sz - 1) ||
257 !quic_hkdf_expand_label(md, tx, tx_sz, secret, secret_sz,
258 tx_label, tx_label_sz - 1))
259 return 0;
260
261 return 1;
262}
263
Frédéric Lécaille39484de2021-11-30 10:10:24 +0100[diff] [blame]264/* Update <sec> secret key into <new_sec> according to RFC 9001 6.1.
265 * Always succeeds.
266 */
267int quic_tls_sec_update(const EVP_MD *md,
268 unsigned char *new_sec, size_t new_seclen,
269 const unsigned char *sec, size_t seclen)
270{
271 const unsigned char ku_label[] = "quic ku";
272
273 return quic_hkdf_expand_label(md, new_sec, new_seclen, sec, seclen,
274 ku_label, sizeof ku_label - 1);
275}
276
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]277/*
278 * Build an IV into <iv> buffer with <ivlen> as size from <aead_iv> with
279 * <aead_ivlen> as size depending on <pn> packet number.
280 * This is the function which must be called to build an AEAD IV for the AEAD cryptographic algorithm
281 * used to encrypt/decrypt the QUIC packet payloads depending on the packet number <pn>.
282 * This function fails and return 0 only if the two buffer lengths are different, 1 if not.
283 */
284int quic_aead_iv_build(unsigned char *iv, size_t ivlen,
285 unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn)
286{
287 int i;
288 unsigned int shift;
289 unsigned char *pos = iv;
290
291 if (ivlen != aead_ivlen)
292 return 0;
293
294 for (i = 0; i < ivlen - sizeof pn; i++)
295 *pos++ = *aead_iv++;
296
297 /* Only the remaining (sizeof pn) bytes are XOR'ed. */
298 shift = 56;
299 for (i = aead_ivlen - sizeof pn; i < aead_ivlen ; i++, shift -= 8)
300 *pos++ = *aead_iv++ ^ (pn >> shift);
301
302 return 1;
303}
304
305/*
306 * https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#aead
307 *
308 * 5.3. AEAD Usage
309 *
310 * Packets are protected prior to applying header protection (Section 5.4).
311 * The unprotected packet header is part of the associated data (A). When removing
312 * packet protection, an endpoint first removes the header protection.
313 * (...)
314 * These ciphersuites have a 16-byte authentication tag and produce an output 16
315 * bytes larger than their input.
316 * The key and IV for the packet are computed as described in Section 5.1. The nonce,
317 * N, is formed by combining the packet protection IV with the packet number. The 62
318 * bits of the reconstructed QUIC packet number in network byte order are left-padded
319 * with zeros to the size of the IV. The exclusive OR of the padded packet number and
320 * the IV forms the AEAD nonce.
321 *
322 * The associated data, A, for the AEAD is the contents of the QUIC header, starting
323 * from the flags byte in either the short or long header, up to and including the
324 * unprotected packet number.
325 *
326 * The input plaintext, P, for the AEAD is the payload of the QUIC packet, as described
327 * in [QUIC-TRANSPORT].
328 *
329 * The output ciphertext, C, of the AEAD is transmitted in place of P.
330 *
331 * Some AEAD functions have limits for how many packets can be encrypted under the same
332 * key and IV (see for example [AEBounds]). This might be lower than the packet number limit.
333 * An endpoint MUST initiate a key update (Section 6) prior to exceeding any limit set for
334 * the AEAD that is in use.
335 */
336
337int quic_tls_encrypt(unsigned char *buf, size_t len,
338 const unsigned char *aad, size_t aad_len,
339 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
340{
341 EVP_CIPHER_CTX *ctx;
342 int ret, outlen;
343
344 ret = 0;
345 ctx = EVP_CIPHER_CTX_new();
346 if (!ctx)
347 return 0;
348
349 if (!EVP_EncryptInit_ex(ctx, aead, NULL, key, iv) ||
350 !EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
351 !EVP_EncryptUpdate(ctx, buf, &outlen, buf, len) ||
352 !EVP_EncryptFinal_ex(ctx, buf + outlen, &outlen) ||
353 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, buf + len))
354 goto out;
355
356 ret = 1;
357
358 out:
359 EVP_CIPHER_CTX_free(ctx);
360
361 return ret;
362}
363
364int quic_tls_decrypt(unsigned char *buf, size_t len,
365 unsigned char *aad, size_t aad_len,
366 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
367{
368 int ret, outlen;
369 size_t off;
370 EVP_CIPHER_CTX *ctx;
371
372 ret = 0;
373 off = 0;
374 ctx = EVP_CIPHER_CTX_new();
375 if (!ctx)
376 return 0;
377
378 if (!EVP_DecryptInit_ex(ctx, aead, NULL, key, iv) ||
379 !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
380 !EVP_DecryptUpdate(ctx, buf, &outlen, buf, len - QUIC_TLS_TAG_LEN))
381 goto out;
382
383 off += outlen;
384
385 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN,
386 buf + len - QUIC_TLS_TAG_LEN) ||
387 !EVP_DecryptFinal_ex(ctx, buf + off, &outlen))
388 goto out;
389
390 off += outlen;
391
392 ret = off;
393
394 out:
395 EVP_CIPHER_CTX_free(ctx);
396 return ret;
397}