blob: f80565ec0123e9c1fefa2ef75efc4ffff91bb2f5 [file] [log] [blame]
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +01001#include <string.h>
2
3#include <openssl/ssl.h>
4
5#if defined(OPENSSL_IS_BORINGSSL)
6#include <openssl/hkdf.h>
7#else
8#include <openssl/evp.h>
9#include <openssl/kdf.h>
10#endif
11
12#include <haproxy/buf.h>
13#include <haproxy/chunk.h>
14//#include <haproxy/quic_tls-t.h>
15#include <haproxy/xprt_quic.h>
16
17
18__attribute__((format (printf, 3, 4)))
19void hexdump(const void *buf, size_t buflen, const char *title_fmt, ...);
20
21/* Initial salt depending on QUIC version to derive client/server initial secrets.
Frédéric Lécailleb4e17382020-12-16 11:28:58 +010022 * This one is for draft-29 QUIC version.
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +010023 */
24unsigned char initial_salt[20] = {
Frédéric Lécailleb4e17382020-12-16 11:28:58 +010025 0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c,
26 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0,
27 0x43, 0x90, 0xa8, 0x99
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +010028};
29
30/* Dump the RX/TX secrets of <secs> QUIC TLS secrets. */
31void quic_tls_keys_hexdump(struct buffer *buf, struct quic_tls_secrets *secs)
32{
33 int i;
34 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(secs->aead);
35 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(secs->aead);
36 size_t hp_len = (size_t)EVP_CIPHER_key_length(secs->hp);
37
38 chunk_appendf(buf, "\n key=");
39 for (i = 0; i < aead_keylen; i++)
40 chunk_appendf(buf, "%02x", secs->key[i]);
41 chunk_appendf(buf, "\n iv=");
42 for (i = 0; i < aead_ivlen; i++)
43 chunk_appendf(buf, "%02x", secs->iv[i]);
44 chunk_appendf(buf, "\n hp=");
45 for (i = 0; i < hp_len; i++)
46 chunk_appendf(buf, "%02x", secs->hp_key[i]);
47}
48
49/* Dump <secret> TLS secret. */
50void quic_tls_secret_hexdump(struct buffer *buf,
51 const unsigned char *secret, size_t secret_len)
52{
53 int i;
54
55 chunk_appendf(buf, " secret=");
56 for (i = 0; i < secret_len; i++)
57 chunk_appendf(buf, "%02x", secret[i]);
58}
59
60#if defined(OPENSSL_IS_BORINGSSL)
61int quic_hkdf_extract(const EVP_MD *md,
62 unsigned char *buf, size_t *buflen,
63 const unsigned char *key, size_t keylen,
64 unsigned char *salt, size_t saltlen)
65{
66 return HKDF_extract(buf, buflen, md, key, keylen, salt, saltlen);
67}
68
69int quic_hkdf_expand(const EVP_MD *md,
70 unsigned char *buf, size_t buflen,
71 const unsigned char *key, size_t keylen,
72 const unsigned char *label, size_t labellen)
73{
74 return HKDF_expand(buf, buflen, md, key, keylen, label, labellen);
75}
76#else
77int quic_hkdf_extract(const EVP_MD *md,
78 unsigned char *buf, size_t *buflen,
79 const unsigned char *key, size_t keylen,
80 unsigned char *salt, size_t saltlen)
81{
82 EVP_PKEY_CTX *ctx;
83
84 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
85 if (!ctx)
86 return 0;
87
88 if (EVP_PKEY_derive_init(ctx) <= 0 ||
89 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0 ||
90 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
91 EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 ||
92 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
93 EVP_PKEY_derive(ctx, buf, buflen) <= 0)
94 goto err;
95
96 EVP_PKEY_CTX_free(ctx);
97 return 1;
98
99 err:
100 EVP_PKEY_CTX_free(ctx);
101 return 0;
102}
103
104int quic_hkdf_expand(const EVP_MD *md,
105 unsigned char *buf, size_t buflen,
106 const unsigned char *key, size_t keylen,
107 const unsigned char *label, size_t labellen)
108{
109 EVP_PKEY_CTX *ctx;
110
111 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
112 if (!ctx)
113 return 0;
114
115 if (EVP_PKEY_derive_init(ctx) <= 0 ||
116 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 ||
117 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
118 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
119 EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 ||
120 EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
121 goto err;
122
123 EVP_PKEY_CTX_free(ctx);
124 return 1;
125
126 err:
127 EVP_PKEY_CTX_free(ctx);
128 return 0;
129}
130#endif
131
132/* https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#protection-keys
133 * refers to:
134 *
135 * https://tools.ietf.org/html/rfc8446#section-7.1:
136 * 7.1. Key Schedule
137 *
138 * The key derivation process makes use of the HKDF-Extract and
139 * HKDF-Expand functions as defined for HKDF [RFC5869], as well as the
140 * functions defined below:
141 *
142 * HKDF-Expand-Label(Secret, Label, Context, Length) =
143 * HKDF-Expand(Secret, HkdfLabel, Length)
144 *
145 * Where HkdfLabel is specified as:
146 *
147 * struct {
148 * uint16 length = Length;
149 * opaque label<7..255> = "tls13 " + Label;
150 * opaque context<0..255> = Context;
151 * } HkdfLabel;
152 *
153 * Derive-Secret(Secret, Label, Messages) =
154 * HKDF-Expand-Label(Secret, Label,
155 * Transcript-Hash(Messages), Hash.length)
156 *
157 */
158int quic_hkdf_expand_label(const EVP_MD *md,
159 unsigned char *buf, size_t buflen,
160 const unsigned char *key, size_t keylen,
161 const unsigned char *label, size_t labellen)
162{
163 unsigned char hdkf_label[256], *pos;
164 const unsigned char hdkf_label_label[] = "tls13 ";
165 size_t hdkf_label_label_sz = sizeof hdkf_label_label - 1;
166
167 pos = hdkf_label;
168 *pos++ = buflen >> 8;
169 *pos++ = buflen & 0xff;
170 *pos++ = hdkf_label_label_sz + labellen;
171 memcpy(pos, hdkf_label_label, hdkf_label_label_sz);
172 pos += hdkf_label_label_sz;
173 memcpy(pos, label, labellen);
174 pos += labellen;
175 *pos++ = '\0';
176
177 return quic_hkdf_expand(md, buf, buflen,
178 key, keylen, hdkf_label, pos - hdkf_label);
179}
180
181/*
182 * This function derives two keys from <secret> is <ctx> as TLS cryptographic context.
183 * ->key is the TLS key to be derived to encrypt/decrypt data at TLS level.
184 * ->iv is the initialization vector to be used with ->key.
185 * ->hp_key is the key to be derived for header protection.
186 * Obviouly these keys have the same size becaused derived with the same TLS cryptographic context.
187 */
188int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
189 const EVP_MD *md,
190 unsigned char *key, size_t keylen,
191 unsigned char *iv, size_t ivlen,
192 unsigned char *hp_key, size_t hp_keylen,
193 const unsigned char *secret, size_t secretlen)
194{
195 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(aead);
196 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(aead);
197 size_t hp_len = (size_t)EVP_CIPHER_key_length(hp);
198 const unsigned char key_label[] = "quic key";
199 const unsigned char iv_label[] = "quic iv";
200 const unsigned char hp_key_label[] = "quic hp";
201
202 if (aead_keylen > keylen || aead_ivlen > ivlen || hp_len > hp_keylen)
203 return 0;
204
205 if (!quic_hkdf_expand_label(md, key, aead_keylen, secret, secretlen,
206 key_label, sizeof key_label - 1) ||
207 !quic_hkdf_expand_label(md, iv, aead_ivlen, secret, secretlen,
208 iv_label, sizeof iv_label - 1) ||
209 !quic_hkdf_expand_label(md, hp_key, hp_len, secret, secretlen,
210 hp_key_label, sizeof hp_key_label - 1))
211 return 0;
212
213 return 1;
214}
215
216/*
217 * Derive the initial secret from <secret> and QUIC version dependent salt.
218 * Returns the size of the derived secret if succeeded, 0 if not.
219 */
220int quic_derive_initial_secret(const EVP_MD *md,
221 unsigned char *initial_secret, size_t initial_secret_sz,
222 const unsigned char *secret, size_t secret_sz)
223{
224 if (!quic_hkdf_extract(md, initial_secret, &initial_secret_sz, secret, secret_sz,
225 initial_salt, sizeof initial_salt))
226 return 0;
227
228 return 1;
229}
230
231/*
232 * Derive the client initial secret from the initial secret.
233 * Returns the size of the derived secret if succeeded, 0 if not.
234 */
235int quic_tls_derive_initial_secrets(const EVP_MD *md,
236 unsigned char *rx, size_t rx_sz,
237 unsigned char *tx, size_t tx_sz,
238 const unsigned char *secret, size_t secret_sz,
239 int server)
240{
241 const unsigned char client_label[] = "client in";
242 const unsigned char server_label[] = "server in";
243 const unsigned char *tx_label, *rx_label;
244 size_t rx_label_sz, tx_label_sz;
245
246 if (server) {
247 rx_label = client_label;
248 rx_label_sz = sizeof client_label;
249 tx_label = server_label;
250 tx_label_sz = sizeof server_label;
251 }
252 else {
253 rx_label = server_label;
254 rx_label_sz = sizeof server_label;
255 tx_label = client_label;
256 tx_label_sz = sizeof client_label;
257 }
258
259 if (!quic_hkdf_expand_label(md, rx, rx_sz, secret, secret_sz,
260 rx_label, rx_label_sz - 1) ||
261 !quic_hkdf_expand_label(md, tx, tx_sz, secret, secret_sz,
262 tx_label, tx_label_sz - 1))
263 return 0;
264
265 return 1;
266}
267
268/*
269 * Build an IV into <iv> buffer with <ivlen> as size from <aead_iv> with
270 * <aead_ivlen> as size depending on <pn> packet number.
271 * This is the function which must be called to build an AEAD IV for the AEAD cryptographic algorithm
272 * used to encrypt/decrypt the QUIC packet payloads depending on the packet number <pn>.
273 * This function fails and return 0 only if the two buffer lengths are different, 1 if not.
274 */
275int quic_aead_iv_build(unsigned char *iv, size_t ivlen,
276 unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn)
277{
278 int i;
279 unsigned int shift;
280 unsigned char *pos = iv;
281
282 if (ivlen != aead_ivlen)
283 return 0;
284
285 for (i = 0; i < ivlen - sizeof pn; i++)
286 *pos++ = *aead_iv++;
287
288 /* Only the remaining (sizeof pn) bytes are XOR'ed. */
289 shift = 56;
290 for (i = aead_ivlen - sizeof pn; i < aead_ivlen ; i++, shift -= 8)
291 *pos++ = *aead_iv++ ^ (pn >> shift);
292
293 return 1;
294}
295
296/*
297 * https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#aead
298 *
299 * 5.3. AEAD Usage
300 *
301 * Packets are protected prior to applying header protection (Section 5.4).
302 * The unprotected packet header is part of the associated data (A). When removing
303 * packet protection, an endpoint first removes the header protection.
304 * (...)
305 * These ciphersuites have a 16-byte authentication tag and produce an output 16
306 * bytes larger than their input.
307 * The key and IV for the packet are computed as described in Section 5.1. The nonce,
308 * N, is formed by combining the packet protection IV with the packet number. The 62
309 * bits of the reconstructed QUIC packet number in network byte order are left-padded
310 * with zeros to the size of the IV. The exclusive OR of the padded packet number and
311 * the IV forms the AEAD nonce.
312 *
313 * The associated data, A, for the AEAD is the contents of the QUIC header, starting
314 * from the flags byte in either the short or long header, up to and including the
315 * unprotected packet number.
316 *
317 * The input plaintext, P, for the AEAD is the payload of the QUIC packet, as described
318 * in [QUIC-TRANSPORT].
319 *
320 * The output ciphertext, C, of the AEAD is transmitted in place of P.
321 *
322 * Some AEAD functions have limits for how many packets can be encrypted under the same
323 * key and IV (see for example [AEBounds]). This might be lower than the packet number limit.
324 * An endpoint MUST initiate a key update (Section 6) prior to exceeding any limit set for
325 * the AEAD that is in use.
326 */
327
328int quic_tls_encrypt(unsigned char *buf, size_t len,
329 const unsigned char *aad, size_t aad_len,
330 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
331{
332 EVP_CIPHER_CTX *ctx;
333 int ret, outlen;
334
335 ret = 0;
336 ctx = EVP_CIPHER_CTX_new();
337 if (!ctx)
338 return 0;
339
340 if (!EVP_EncryptInit_ex(ctx, aead, NULL, key, iv) ||
341 !EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
342 !EVP_EncryptUpdate(ctx, buf, &outlen, buf, len) ||
343 !EVP_EncryptFinal_ex(ctx, buf + outlen, &outlen) ||
344 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, buf + len))
345 goto out;
346
347 ret = 1;
348
349 out:
350 EVP_CIPHER_CTX_free(ctx);
351
352 return ret;
353}
354
355int quic_tls_decrypt(unsigned char *buf, size_t len,
356 unsigned char *aad, size_t aad_len,
357 const EVP_CIPHER *aead, const unsigned char *key, const unsigned char *iv)
358{
359 int ret, outlen;
360 size_t off;
361 EVP_CIPHER_CTX *ctx;
362
363 ret = 0;
364 off = 0;
365 ctx = EVP_CIPHER_CTX_new();
366 if (!ctx)
367 return 0;
368
369 if (!EVP_DecryptInit_ex(ctx, aead, NULL, key, iv) ||
370 !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
371 !EVP_DecryptUpdate(ctx, buf, &outlen, buf, len - QUIC_TLS_TAG_LEN))
372 goto out;
373
374 off += outlen;
375
376 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN,
377 buf + len - QUIC_TLS_TAG_LEN) ||
378 !EVP_DecryptFinal_ex(ctx, buf + off, &outlen))
379 goto out;
380
381 off += outlen;
382
383 ret = off;
384
385 out:
386 EVP_CIPHER_CTX_free(ctx);
387 return ret;
388}