Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 7a4f0d85be99e26056e3f6512a10c54c280a407f / . / src / quic_tls.c
blob: 11d5875daebd134ddf88d538b9fac9faff6ec515 [file] [log] [blame]
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]1#include <string.h>
2
3#include <openssl/ssl.h>
4
5#if defined(OPENSSL_IS_BORINGSSL)
6#include <openssl/hkdf.h>
7#else
8#include <openssl/evp.h>
9#include <openssl/kdf.h>
10#endif
11
12#include <haproxy/buf.h>
13#include <haproxy/chunk.h>
14//#include <haproxy/quic_tls-t.h>
15#include <haproxy/xprt_quic.h>
16
17
18__attribute__((format (printf, 3, 4)))
19void hexdump(const void *buf, size_t buflen, const char *title_fmt, ...);
20
21/* Initial salt depending on QUIC version to derive client/server initial secrets.
Frédéric Lécailleb4e17382020-12-16 11:28:58 +0100[diff] [blame]22 * This one is for draft-29 QUIC version.
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]23 */
24unsigned char initial_salt[20] = {
Frédéric Lécailleb4e17382020-12-16 11:28:58 +0100[diff] [blame]25 0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c,
26 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0,
27 0x43, 0x90, 0xa8, 0x99
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]28};
29
Frédéric Lécaille82d1daa2021-07-01 17:48:46 +0200[diff] [blame]30unsigned char initial_salt_v1[20] = {
31 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3,
32 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad,
33 0xcc, 0xbb, 0x7f, 0x0a
34};
35
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]36/* Dump the RX/TX secrets of <secs> QUIC TLS secrets. */
37void quic_tls_keys_hexdump(struct buffer *buf, struct quic_tls_secrets *secs)
38{
39 int i;
40 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(secs->aead);
41 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(secs->aead);
42 size_t hp_len = (size_t)EVP_CIPHER_key_length(secs->hp);
43
44 chunk_appendf(buf, "\n key=");
45 for (i = 0; i < aead_keylen; i++)
46 chunk_appendf(buf, "%02x", secs->key[i]);
47 chunk_appendf(buf, "\n iv=");
48 for (i = 0; i < aead_ivlen; i++)
49 chunk_appendf(buf, "%02x", secs->iv[i]);
50 chunk_appendf(buf, "\n hp=");
51 for (i = 0; i < hp_len; i++)
52 chunk_appendf(buf, "%02x", secs->hp_key[i]);
53}
54
55/* Dump <secret> TLS secret. */
56void quic_tls_secret_hexdump(struct buffer *buf,
57 const unsigned char *secret, size_t secret_len)
58{
59 int i;
60
61 chunk_appendf(buf, " secret=");
62 for (i = 0; i < secret_len; i++)
63 chunk_appendf(buf, "%02x", secret[i]);
64}
65
66#if defined(OPENSSL_IS_BORINGSSL)
67int quic_hkdf_extract(const EVP_MD *md,
68 unsigned char *buf, size_t *buflen,
69 const unsigned char *key, size_t keylen,
70 unsigned char *salt, size_t saltlen)
71{
72 return HKDF_extract(buf, buflen, md, key, keylen, salt, saltlen);
73}
74
75int quic_hkdf_expand(const EVP_MD *md,
76 unsigned char *buf, size_t buflen,
77 const unsigned char *key, size_t keylen,
78 const unsigned char *label, size_t labellen)
79{
80 return HKDF_expand(buf, buflen, md, key, keylen, label, labellen);
81}
82#else
83int quic_hkdf_extract(const EVP_MD *md,
84 unsigned char *buf, size_t *buflen,
85 const unsigned char *key, size_t keylen,
86 unsigned char *salt, size_t saltlen)
87{
88 EVP_PKEY_CTX *ctx;
89
90 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
91 if (!ctx)
92 return 0;
93
94 if (EVP_PKEY_derive_init(ctx) <= 0 ||
95 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0 ||
96 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
97 EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 ||
98 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
99 EVP_PKEY_derive(ctx, buf, buflen) <= 0)
100 goto err;
101
102 EVP_PKEY_CTX_free(ctx);
103 return 1;
104
105 err:
106 EVP_PKEY_CTX_free(ctx);
107 return 0;
108}
109
110int quic_hkdf_expand(const EVP_MD *md,
111 unsigned char *buf, size_t buflen,
112 const unsigned char *key, size_t keylen,
113 const unsigned char *label, size_t labellen)
114{
115 EVP_PKEY_CTX *ctx;
116
117 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
118 if (!ctx)
119 return 0;
120
121 if (EVP_PKEY_derive_init(ctx) <= 0 ||
122 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 ||
123 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
124 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
125 EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 ||
126 EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
127 goto err;
128
129 EVP_PKEY_CTX_free(ctx);
130 return 1;
131
132 err:
133 EVP_PKEY_CTX_free(ctx);
134 return 0;
135}
136#endif
137
138/* https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#protection-keys
139 * refers to:
140 *
141 * https://tools.ietf.org/html/rfc8446#section-7.1:
142 * 7.1. Key Schedule
143 *
144 * The key derivation process makes use of the HKDF-Extract and
145 * HKDF-Expand functions as defined for HKDF [RFC5869], as well as the
146 * functions defined below:
147 *
148 * HKDF-Expand-Label(Secret, Label, Context, Length) =
149 * HKDF-Expand(Secret, HkdfLabel, Length)
150 *
151 * Where HkdfLabel is specified as:
152 *
153 * struct {
154 * uint16 length = Length;
155 * opaque label<7..255> = "tls13 " + Label;
156 * opaque context<0..255> = Context;
157 * } HkdfLabel;
158 *
159 * Derive-Secret(Secret, Label, Messages) =
160 * HKDF-Expand-Label(Secret, Label,
161 * Transcript-Hash(Messages), Hash.length)
162 *
163 */
164int quic_hkdf_expand_label(const EVP_MD *md,
165 unsigned char *buf, size_t buflen,
166 const unsigned char *key, size_t keylen,
167 const unsigned char *label, size_t labellen)
168{
169 unsigned char hdkf_label[256], *pos;
170 const unsigned char hdkf_label_label[] = "tls13 ";
171 size_t hdkf_label_label_sz = sizeof hdkf_label_label - 1;
172
173 pos = hdkf_label;
174 *pos++ = buflen >> 8;
175 *pos++ = buflen & 0xff;
176 *pos++ = hdkf_label_label_sz + labellen;
177 memcpy(pos, hdkf_label_label, hdkf_label_label_sz);
178 pos += hdkf_label_label_sz;
179 memcpy(pos, label, labellen);
180 pos += labellen;
181 *pos++ = '\0';
182
183 return quic_hkdf_expand(md, buf, buflen,
184 key, keylen, hdkf_label, pos - hdkf_label);
185}
186
187/*
188 * This function derives two keys from <secret> is <ctx> as TLS cryptographic context.
189 * ->key is the TLS key to be derived to encrypt/decrypt data at TLS level.
190 * ->iv is the initialization vector to be used with ->key.
191 * ->hp_key is the key to be derived for header protection.
192 * Obviouly these keys have the same size becaused derived with the same TLS cryptographic context.
193 */
194int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
195 const EVP_MD *md,
196 unsigned char *key, size_t keylen,
197 unsigned char *iv, size_t ivlen,
198 unsigned char *hp_key, size_t hp_keylen,
199 const unsigned char *secret, size_t secretlen)
200{
201 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(aead);
202 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(aead);
203 size_t hp_len = (size_t)EVP_CIPHER_key_length(hp);
204 const unsigned char key_label[] = "quic key";
205 const unsigned char iv_label[] = "quic iv";
206 const unsigned char hp_key_label[] = "quic hp";
207
208 if (aead_keylen > keylen || aead_ivlen > ivlen || hp_len > hp_keylen)
209 return 0;
210
211 if (!quic_hkdf_expand_label(md, key, aead_keylen, secret, secretlen,
212 key_label, sizeof key_label - 1) ||
213 !quic_hkdf_expand_label(md, iv, aead_ivlen, secret, secretlen,
214 iv_label, sizeof iv_label - 1) ||
215 !quic_hkdf_expand_label(md, hp_key, hp_len, secret, secretlen,
216 hp_key_label, sizeof hp_key_label - 1))
217 return 0;
218
219 return 1;
220}
221
222/*
223 * Derive the initial secret from <secret> and QUIC version dependent salt.
224 * Returns the size of the derived secret if succeeded, 0 if not.
225 */
226int quic_derive_initial_secret(const EVP_MD *md,
227 unsigned char *initial_secret, size_t initial_secret_sz,
228 const unsigned char *secret, size_t secret_sz)
229{
230 if (!quic_hkdf_extract(md, initial_secret, &initial_secret_sz, secret, secret_sz,
Frédéric Lécaille98ad56a2021-07-06 17:08:04 +0200[diff] [blame]231 initial_salt_v1, sizeof initial_salt_v1))
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]232 return 0;
233
234 return 1;
235}
236
237/*
238 * Derive the client initial secret from the initial secret.
239 * Returns the size of the derived secret if succeeded, 0 if not.
240 */
241int quic_tls_derive_initial_secrets(const EVP_MD *md,
242 unsigned char *rx, size_t rx_sz,
243 unsigned char *tx, size_t tx_sz,
244 const unsigned char *secret, size_t secret_sz,
245 int server)
246{
247 const unsigned char client_label[] = "client in";
248 const unsigned char server_label[] = "server in";
249 const unsigned char *tx_label, *rx_label;
250 size_t rx_label_sz, tx_label_sz;
251
252 if (server) {
253 rx_label = client_label;
254 rx_label_sz = sizeof client_label;
255 tx_label = server_label;
256 tx_label_sz = sizeof server_label;
257 }
258 else {
259 rx_label = server_label;
260 rx_label_sz = sizeof server_label;
261 tx_label = client_label;
262 tx_label_sz = sizeof client_label;
263 }
264
265 if (!quic_hkdf_expand_label(md, rx, rx_sz, secret, secret_sz,
266 rx_label, rx_label_sz - 1) ||
267 !quic_hkdf_expand_label(md, tx, tx_sz, secret, secret_sz,
268 tx_label, tx_label_sz - 1))
269 return 0;
270
271 return 1;
272}
273
274/*
275 * Build an IV into <iv> buffer with <ivlen> as size from <aead_iv> with
276 * <aead_ivlen> as size depending on <pn> packet number.
277 * This is the function which must be called to build an AEAD IV for the AEAD cryptographic algorithm
278 * used to encrypt/decrypt the QUIC packet payloads depending on the packet number <pn>.
279 * This function fails and return 0 only if the two buffer lengths are different, 1 if not.
280 */
281int quic_aead_iv_build(unsigned char *iv, size_t ivlen,
282 unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn)
283{
284 int i;
285 unsigned int shift;
286 unsigned char *pos = iv;
287
288 if (ivlen != aead_ivlen)
289 return 0;
290
291 for (i = 0; i < ivlen - sizeof pn; i++)
292 *pos++ = *aead_iv++;
293
294 /* Only the remaining (sizeof pn) bytes are XOR'ed. */
295 shift = 56;
296 for (i = aead_ivlen - sizeof pn; i < aead_ivlen ; i++, shift -= 8)
297 *pos++ = *aead_iv++ ^ (pn >> shift);
298
299 return 1;
300}
301
302/*
303 * https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#aead
304 *
305 * 5.3. AEAD Usage
306 *
307 * Packets are protected prior to applying header protection (Section 5.4).
308 * The unprotected packet header is part of the associated data (A). When removing
309 * packet protection, an endpoint first removes the header protection.
310 * (...)
311 * These ciphersuites have a 16-byte authentication tag and produce an output 16
312 * bytes larger than their input.
313 * The key and IV for the packet are computed as described in Section 5.1. The nonce,
314 * N, is formed by combining the packet protection IV with the packet number. The 62
315 * bits of the reconstructed QUIC packet number in network byte order are left-padded
316 * with zeros to the size of the IV. The exclusive OR of the padded packet number and
317 * the IV forms the AEAD nonce.
318 *
319 * The associated data, A, for the AEAD is the contents of the QUIC header, starting
320 * from the flags byte in either the short or long header, up to and including the
321 * unprotected packet number.
322 *
323 * The input plaintext, P, for the AEAD is the payload of the QUIC packet, as described
324 * in [QUIC-TRANSPORT].
325 *
326 * The output ciphertext, C, of the AEAD is transmitted in place of P.
327 *
328 * Some AEAD functions have limits for how many packets can be encrypted under the same
329 * key and IV (see for example [AEBounds]). This might be lower than the packet number limit.
330 * An endpoint MUST initiate a key update (Section 6) prior to exceeding any limit set for
331 * the AEAD that is in use.
332 */
333
334int quic_tls_encrypt(unsigned char *buf, size_t len,
335 const unsigned char *aad, size_t aad_len,
336 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
337{
338 EVP_CIPHER_CTX *ctx;
339 int ret, outlen;
340
341 ret = 0;
342 ctx = EVP_CIPHER_CTX_new();
343 if (!ctx)
344 return 0;
345
346 if (!EVP_EncryptInit_ex(ctx, aead, NULL, key, iv) ||
347 !EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
348 !EVP_EncryptUpdate(ctx, buf, &outlen, buf, len) ||
349 !EVP_EncryptFinal_ex(ctx, buf + outlen, &outlen) ||
350 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, buf + len))
351 goto out;
352
353 ret = 1;
354
355 out:
356 EVP_CIPHER_CTX_free(ctx);
357
358 return ret;
359}
360
361int quic_tls_decrypt(unsigned char *buf, size_t len,
362 unsigned char *aad, size_t aad_len,
363 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
364{
365 int ret, outlen;
366 size_t off;
367 EVP_CIPHER_CTX *ctx;
368
369 ret = 0;
370 off = 0;
371 ctx = EVP_CIPHER_CTX_new();
372 if (!ctx)
373 return 0;
374
375 if (!EVP_DecryptInit_ex(ctx, aead, NULL, key, iv) ||
376 !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
377 !EVP_DecryptUpdate(ctx, buf, &outlen, buf, len - QUIC_TLS_TAG_LEN))
378 goto out;
379
380 off += outlen;
381
382 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN,
383 buf + len - QUIC_TLS_TAG_LEN) ||
384 !EVP_DecryptFinal_ex(ctx, buf + off, &outlen))
385 goto out;
386
387 off += outlen;
388
389 ret = off;
390
391 out:
392 EVP_CIPHER_CTX_free(ctx);
393 return ret;
394}