Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / c105492bf5b84b8b55a5c03fdce70fdd85d456bd / . / src / quic_tls.c
blob: 623f759be231958ff8475c00d109c488677b993a [file] [log] [blame]
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]1#include <string.h>
2
3#include <openssl/ssl.h>
4
5#if defined(OPENSSL_IS_BORINGSSL)
6#include <openssl/hkdf.h>
7#else
8#include <openssl/evp.h>
9#include <openssl/kdf.h>
10#endif
11
12#include <haproxy/buf.h>
13#include <haproxy/chunk.h>
14//#include <haproxy/quic_tls-t.h>
15#include <haproxy/xprt_quic.h>
16
17
Frédéric Lécaillefc768ec2021-11-23 21:02:04 +0100[diff] [blame]18DECLARE_POOL(pool_head_quic_tls_secret, "quic_tls_secret", QUIC_TLS_SECRET_LEN);
19DECLARE_POOL(pool_head_quic_tls_iv, "quic_tls_iv", QUIC_TLS_IV_LEN);
20DECLARE_POOL(pool_head_quic_tls_key, "quic_tls_key", QUIC_TLS_KEY_LEN);
21
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]22__attribute__((format (printf, 3, 4)))
23void hexdump(const void *buf, size_t buflen, const char *title_fmt, ...);
24
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]25/* Dump the RX/TX secrets of <secs> QUIC TLS secrets. */
Amaury Denoyelle4fd53d72021-12-21 14:28:26 +0100[diff] [blame]26void quic_tls_keys_hexdump(struct buffer *buf,
27 const struct quic_tls_secrets *secs)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]28{
29 int i;
30 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(secs->aead);
31 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(secs->aead);
32 size_t hp_len = (size_t)EVP_CIPHER_key_length(secs->hp);
33
34 chunk_appendf(buf, "\n key=");
35 for (i = 0; i < aead_keylen; i++)
36 chunk_appendf(buf, "%02x", secs->key[i]);
37 chunk_appendf(buf, "\n iv=");
38 for (i = 0; i < aead_ivlen; i++)
39 chunk_appendf(buf, "%02x", secs->iv[i]);
40 chunk_appendf(buf, "\n hp=");
41 for (i = 0; i < hp_len; i++)
42 chunk_appendf(buf, "%02x", secs->hp_key[i]);
43}
44
45/* Dump <secret> TLS secret. */
46void quic_tls_secret_hexdump(struct buffer *buf,
47 const unsigned char *secret, size_t secret_len)
48{
49 int i;
50
51 chunk_appendf(buf, " secret=");
52 for (i = 0; i < secret_len; i++)
53 chunk_appendf(buf, "%02x", secret[i]);
54}
55
56#if defined(OPENSSL_IS_BORINGSSL)
57int quic_hkdf_extract(const EVP_MD *md,
58 unsigned char *buf, size_t *buflen,
59 const unsigned char *key, size_t keylen,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]60 const unsigned char *salt, size_t saltlen)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]61{
62 return HKDF_extract(buf, buflen, md, key, keylen, salt, saltlen);
63}
64
65int quic_hkdf_expand(const EVP_MD *md,
66 unsigned char *buf, size_t buflen,
67 const unsigned char *key, size_t keylen,
68 const unsigned char *label, size_t labellen)
69{
70 return HKDF_expand(buf, buflen, md, key, keylen, label, labellen);
71}
72#else
73int quic_hkdf_extract(const EVP_MD *md,
Frédéric Lécaille4ba3b4e2022-05-10 18:40:19 +0200[diff] [blame]74 unsigned char *buf, size_t buflen,
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]75 const unsigned char *key, size_t keylen,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]76 const unsigned char *salt, size_t saltlen)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]77{
78 EVP_PKEY_CTX *ctx;
79
80 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
81 if (!ctx)
82 return 0;
83
84 if (EVP_PKEY_derive_init(ctx) <= 0 ||
85 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) <= 0 ||
86 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
87 EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 ||
88 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
Frédéric Lécaille4ba3b4e2022-05-10 18:40:19 +0200[diff] [blame]89 EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]90 goto err;
91
92 EVP_PKEY_CTX_free(ctx);
93 return 1;
94
95 err:
96 EVP_PKEY_CTX_free(ctx);
97 return 0;
98}
99
100int quic_hkdf_expand(const EVP_MD *md,
101 unsigned char *buf, size_t buflen,
102 const unsigned char *key, size_t keylen,
103 const unsigned char *label, size_t labellen)
104{
105 EVP_PKEY_CTX *ctx;
106
107 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
108 if (!ctx)
109 return 0;
110
111 if (EVP_PKEY_derive_init(ctx) <= 0 ||
112 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 ||
113 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
114 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
115 EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 ||
116 EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
117 goto err;
118
119 EVP_PKEY_CTX_free(ctx);
120 return 1;
121
122 err:
123 EVP_PKEY_CTX_free(ctx);
124 return 0;
125}
Frédéric Lécaille7b92c812022-05-06 09:54:48 +0200[diff] [blame]126
127/* Extracts a peudo-random secret key from <key> which is eventually not
128 * pseudo-random and expand it to a new pseudo-random key into
129 * <buf> with <buflen> as key length according to HKDF specifications
130 * (https://datatracker.ietf.org/doc/html/rfc5869).
131 * According to this specifications it is highly recommended to use
132 * a salt, even if optional (NULL value).
133 * Return 1 if succeeded, 0 if not.
134 */
135int quic_hkdf_extract_and_expand(const EVP_MD *md,
136 unsigned char *buf, size_t buflen,
137 const unsigned char *key, size_t keylen,
138 const unsigned char *salt, size_t saltlen,
139 const unsigned char *label, size_t labellen)
140{
141 EVP_PKEY_CTX *ctx;
142
143 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
144 if (!ctx)
145 return 0;
146
147 if (EVP_PKEY_derive_init(ctx) <= 0 ||
148 EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) <= 0 ||
149 EVP_PKEY_CTX_set_hkdf_md(ctx, md) <= 0 ||
150 EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, saltlen) <= 0 ||
151 EVP_PKEY_CTX_set1_hkdf_key(ctx, key, keylen) <= 0 ||
152 EVP_PKEY_CTX_add1_hkdf_info(ctx, label, labellen) <= 0 ||
153 EVP_PKEY_derive(ctx, buf, &buflen) <= 0)
154 goto err;
155
156 EVP_PKEY_CTX_free(ctx);
157 return 1;
158
159 err:
160 EVP_PKEY_CTX_free(ctx);
161 return 0;
162}
163
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]164#endif
165
166/* https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#protection-keys
167 * refers to:
168 *
169 * https://tools.ietf.org/html/rfc8446#section-7.1:
170 * 7.1. Key Schedule
171 *
172 * The key derivation process makes use of the HKDF-Extract and
173 * HKDF-Expand functions as defined for HKDF [RFC5869], as well as the
174 * functions defined below:
175 *
176 * HKDF-Expand-Label(Secret, Label, Context, Length) =
177 * HKDF-Expand(Secret, HkdfLabel, Length)
178 *
179 * Where HkdfLabel is specified as:
180 *
181 * struct {
182 * uint16 length = Length;
183 * opaque label<7..255> = "tls13 " + Label;
184 * opaque context<0..255> = Context;
185 * } HkdfLabel;
186 *
187 * Derive-Secret(Secret, Label, Messages) =
188 * HKDF-Expand-Label(Secret, Label,
189 * Transcript-Hash(Messages), Hash.length)
190 *
191 */
192int quic_hkdf_expand_label(const EVP_MD *md,
193 unsigned char *buf, size_t buflen,
194 const unsigned char *key, size_t keylen,
195 const unsigned char *label, size_t labellen)
196{
197 unsigned char hdkf_label[256], *pos;
198 const unsigned char hdkf_label_label[] = "tls13 ";
199 size_t hdkf_label_label_sz = sizeof hdkf_label_label - 1;
200
201 pos = hdkf_label;
202 *pos++ = buflen >> 8;
203 *pos++ = buflen & 0xff;
204 *pos++ = hdkf_label_label_sz + labellen;
205 memcpy(pos, hdkf_label_label, hdkf_label_label_sz);
206 pos += hdkf_label_label_sz;
207 memcpy(pos, label, labellen);
208 pos += labellen;
209 *pos++ = '\0';
210
211 return quic_hkdf_expand(md, buf, buflen,
212 key, keylen, hdkf_label, pos - hdkf_label);
213}
214
215/*
216 * This function derives two keys from <secret> is <ctx> as TLS cryptographic context.
217 * ->key is the TLS key to be derived to encrypt/decrypt data at TLS level.
218 * ->iv is the initialization vector to be used with ->key.
219 * ->hp_key is the key to be derived for header protection.
220 * Obviouly these keys have the same size becaused derived with the same TLS cryptographic context.
221 */
222int quic_tls_derive_keys(const EVP_CIPHER *aead, const EVP_CIPHER *hp,
223 const EVP_MD *md,
224 unsigned char *key, size_t keylen,
225 unsigned char *iv, size_t ivlen,
226 unsigned char *hp_key, size_t hp_keylen,
227 const unsigned char *secret, size_t secretlen)
228{
229 size_t aead_keylen = (size_t)EVP_CIPHER_key_length(aead);
230 size_t aead_ivlen = (size_t)EVP_CIPHER_iv_length(aead);
Frédéric Lécaille6e351d62021-11-30 11:06:41 +0100[diff] [blame]231 size_t hp_len = hp ? (size_t)EVP_CIPHER_key_length(hp) : 0;
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]232 const unsigned char key_label[] = "quic key";
233 const unsigned char iv_label[] = "quic iv";
234 const unsigned char hp_key_label[] = "quic hp";
235
236 if (aead_keylen > keylen || aead_ivlen > ivlen || hp_len > hp_keylen)
237 return 0;
238
239 if (!quic_hkdf_expand_label(md, key, aead_keylen, secret, secretlen,
240 key_label, sizeof key_label - 1) ||
241 !quic_hkdf_expand_label(md, iv, aead_ivlen, secret, secretlen,
242 iv_label, sizeof iv_label - 1) ||
Frédéric Lécaille6e351d62021-11-30 11:06:41 +0100[diff] [blame]243 (hp_key && !quic_hkdf_expand_label(md, hp_key, hp_len, secret, secretlen,
244 hp_key_label, sizeof hp_key_label - 1)))
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]245 return 0;
246
247 return 1;
248}
249
250/*
251 * Derive the initial secret from <secret> and QUIC version dependent salt.
252 * Returns the size of the derived secret if succeeded, 0 if not.
253 */
254int quic_derive_initial_secret(const EVP_MD *md,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]255 const unsigned char *initial_salt, size_t initial_salt_sz,
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]256 unsigned char *initial_secret, size_t initial_secret_sz,
257 const unsigned char *secret, size_t secret_sz)
258{
Frédéric Lécaille4ba3b4e2022-05-10 18:40:19 +0200[diff] [blame]259 if (!quic_hkdf_extract(md, initial_secret, initial_secret_sz, secret, secret_sz,
Frédéric Lécaille2fc76cf2021-08-31 19:10:40 +0200[diff] [blame]260 initial_salt, initial_salt_sz))
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]261 return 0;
262
263 return 1;
264}
265
266/*
267 * Derive the client initial secret from the initial secret.
268 * Returns the size of the derived secret if succeeded, 0 if not.
269 */
270int quic_tls_derive_initial_secrets(const EVP_MD *md,
271 unsigned char *rx, size_t rx_sz,
272 unsigned char *tx, size_t tx_sz,
273 const unsigned char *secret, size_t secret_sz,
274 int server)
275{
276 const unsigned char client_label[] = "client in";
277 const unsigned char server_label[] = "server in";
278 const unsigned char *tx_label, *rx_label;
279 size_t rx_label_sz, tx_label_sz;
280
281 if (server) {
282 rx_label = client_label;
283 rx_label_sz = sizeof client_label;
284 tx_label = server_label;
285 tx_label_sz = sizeof server_label;
286 }
287 else {
288 rx_label = server_label;
289 rx_label_sz = sizeof server_label;
290 tx_label = client_label;
291 tx_label_sz = sizeof client_label;
292 }
293
294 if (!quic_hkdf_expand_label(md, rx, rx_sz, secret, secret_sz,
295 rx_label, rx_label_sz - 1) ||
296 !quic_hkdf_expand_label(md, tx, tx_sz, secret, secret_sz,
297 tx_label, tx_label_sz - 1))
298 return 0;
299
300 return 1;
301}
302
Frédéric Lécaille39484de2021-11-30 10:10:24 +0100[diff] [blame]303/* Update <sec> secret key into <new_sec> according to RFC 9001 6.1.
304 * Always succeeds.
305 */
306int quic_tls_sec_update(const EVP_MD *md,
307 unsigned char *new_sec, size_t new_seclen,
308 const unsigned char *sec, size_t seclen)
309{
310 const unsigned char ku_label[] = "quic ku";
311
312 return quic_hkdf_expand_label(md, new_sec, new_seclen, sec, seclen,
313 ku_label, sizeof ku_label - 1);
314}
315
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]316/*
317 * Build an IV into <iv> buffer with <ivlen> as size from <aead_iv> with
318 * <aead_ivlen> as size depending on <pn> packet number.
319 * This is the function which must be called to build an AEAD IV for the AEAD cryptographic algorithm
320 * used to encrypt/decrypt the QUIC packet payloads depending on the packet number <pn>.
321 * This function fails and return 0 only if the two buffer lengths are different, 1 if not.
322 */
323int quic_aead_iv_build(unsigned char *iv, size_t ivlen,
324 unsigned char *aead_iv, size_t aead_ivlen, uint64_t pn)
325{
326 int i;
327 unsigned int shift;
328 unsigned char *pos = iv;
329
330 if (ivlen != aead_ivlen)
331 return 0;
332
333 for (i = 0; i < ivlen - sizeof pn; i++)
334 *pos++ = *aead_iv++;
335
336 /* Only the remaining (sizeof pn) bytes are XOR'ed. */
337 shift = 56;
338 for (i = aead_ivlen - sizeof pn; i < aead_ivlen ; i++, shift -= 8)
339 *pos++ = *aead_iv++ ^ (pn >> shift);
340
341 return 1;
342}
343
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]344/* Initialize the cipher context for RX part of <tls_ctx> QUIC TLS context.
345 * Return 1 if succeeded, 0 if not.
346 */
347int quic_tls_rx_ctx_init(EVP_CIPHER_CTX **rx_ctx,
348 const EVP_CIPHER *aead, unsigned char *key)
349{
350 EVP_CIPHER_CTX *ctx;
351 int aead_nid = EVP_CIPHER_nid(aead);
352
353 ctx = EVP_CIPHER_CTX_new();
354 if (!ctx)
355 return 0;
356
357 if (!EVP_DecryptInit_ex(ctx, aead, NULL, NULL, NULL) ||
Frédéric Lécaillef2f4a4e2022-04-05 12:18:46 +0200[diff] [blame]358 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, QUIC_TLS_IV_LEN, NULL) ||
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]359 (aead_nid == NID_aes_128_ccm &&
360 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, NULL)) ||
361 !EVP_DecryptInit_ex(ctx, NULL, NULL, key, NULL))
362 goto err;
363
364 *rx_ctx = ctx;
365
366 return 1;
367
368 err:
369 EVP_CIPHER_CTX_free(ctx);
370 return 0;
371}
372
373/* Initialize the cipher context for TX part of <tls_ctx> QUIC TLS context.
374 * Return 1 if succeeded, 0 if not.
375 */
376int quic_tls_tx_ctx_init(EVP_CIPHER_CTX **tx_ctx,
377 const EVP_CIPHER *aead, unsigned char *key)
378{
379 EVP_CIPHER_CTX *ctx;
380 int aead_nid = EVP_CIPHER_nid(aead);
381
382 ctx = EVP_CIPHER_CTX_new();
383 if (!ctx)
384 return 0;
385
386 if (!EVP_EncryptInit_ex(ctx, aead, NULL, NULL, NULL) ||
Frédéric Lécaillef2f4a4e2022-04-05 12:18:46 +0200[diff] [blame]387 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, QUIC_TLS_IV_LEN, NULL) ||
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]388 (aead_nid == NID_aes_128_ccm &&
389 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, NULL)) ||
390 !EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL))
391 goto err;
392
393 *tx_ctx = ctx;
394
395 return 1;
396
397 err:
398 EVP_CIPHER_CTX_free(ctx);
399 return 0;
400}
401
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]402/*
403 * https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#aead
404 *
405 * 5.3. AEAD Usage
406 *
407 * Packets are protected prior to applying header protection (Section 5.4).
408 * The unprotected packet header is part of the associated data (A). When removing
409 * packet protection, an endpoint first removes the header protection.
410 * (...)
411 * These ciphersuites have a 16-byte authentication tag and produce an output 16
412 * bytes larger than their input.
413 * The key and IV for the packet are computed as described in Section 5.1. The nonce,
414 * N, is formed by combining the packet protection IV with the packet number. The 62
415 * bits of the reconstructed QUIC packet number in network byte order are left-padded
416 * with zeros to the size of the IV. The exclusive OR of the padded packet number and
417 * the IV forms the AEAD nonce.
418 *
419 * The associated data, A, for the AEAD is the contents of the QUIC header, starting
420 * from the flags byte in either the short or long header, up to and including the
421 * unprotected packet number.
422 *
423 * The input plaintext, P, for the AEAD is the payload of the QUIC packet, as described
424 * in [QUIC-TRANSPORT].
425 *
426 * The output ciphertext, C, of the AEAD is transmitted in place of P.
427 *
428 * Some AEAD functions have limits for how many packets can be encrypted under the same
429 * key and IV (see for example [AEBounds]). This might be lower than the packet number limit.
430 * An endpoint MUST initiate a key update (Section 6) prior to exceeding any limit set for
431 * the AEAD that is in use.
432 */
433
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]434/* Encrypt in place <buf> plaintext with <len> as length with QUIC_TLS_TAG_LEN
435 * included tailing bytes for the tag.
436 * Note that for CCM mode, we must set the the ciphertext length if AAD data
437 * are provided from <aad> buffer with <aad_len> as length. This is always the
438 * case here. So the caller of this function must provide <aad>.
439 *
440 * https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
441 */
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]442int quic_tls_encrypt(unsigned char *buf, size_t len,
443 const unsigned char *aad, size_t aad_len,
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]444 EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead,
445 const unsigned char *key, const unsigned char *iv)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]446{
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]447 int outlen;
448 int aead_nid = EVP_CIPHER_nid(aead);
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]449
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]450 if (!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) ||
451 (aead_nid == NID_aes_128_ccm &&
452 !EVP_EncryptUpdate(ctx, NULL, &outlen, NULL, len)) ||
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]453 !EVP_EncryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
454 !EVP_EncryptUpdate(ctx, buf, &outlen, buf, len) ||
455 !EVP_EncryptFinal_ex(ctx, buf + outlen, &outlen) ||
456 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, buf + len))
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]457 return 0;
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]458
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]459 return 1;
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]460}
461
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]462/* Decrypt in place <buf> ciphertext with <len> as length with QUIC_TLS_TAG_LEN
463 * included tailing bytes for the tag.
464 * Note that for CCM mode, we must set the the ciphertext length if AAD data
465 * are provided from <aad> buffer with <aad_len> as length. This is always the
466 * case here. So the caller of this function must provide <aad>. Also not the
467 * there is no need to call EVP_DecryptFinal_ex for CCM mode.
468 *
469 * https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
470 */
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]471int quic_tls_decrypt(unsigned char *buf, size_t len,
472 unsigned char *aad, size_t aad_len,
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]473 EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead,
474 const unsigned char *key, const unsigned char *iv)
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]475{
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]476 int outlen;
477 int aead_nid = EVP_CIPHER_nid(aead);
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]478
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]479 if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) ||
480 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN,
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]481 buf + len - QUIC_TLS_TAG_LEN) ||
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]482 (aead_nid == NID_aes_128_ccm &&
483 !EVP_DecryptUpdate(ctx, NULL, &outlen, NULL, len - QUIC_TLS_TAG_LEN)) ||
484 !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
485 !EVP_DecryptUpdate(ctx, buf, &outlen, buf, len - QUIC_TLS_TAG_LEN) ||
486 (aead_nid != NID_aes_128_ccm &&
487 !EVP_DecryptFinal_ex(ctx, buf + outlen, &outlen)))
488 return 0;
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]489
Frédéric Lécaillef4605742022-04-05 10:28:29 +0200[diff] [blame]490 return 1;
Frédéric Lécaillea7e7ce92020-11-23 14:14:04 +0100[diff] [blame]491}
Amaury Denoyelle6efec292022-01-11 11:57:00 +0100[diff] [blame]492
Frédéric Lécaille55367c82022-05-16 10:27:57 +0200[diff] [blame]493/* Similar to quic_tls_decrypt(), except that this function does not decrypt
494 * in place its ciphertest if <out> output buffer ciphertest with <len> as length
495 * is different from <in> input buffer. This is the responbality of the caller
496 * to check that the output buffer has at least the same size as the input buffer.
497 * Note that for CCM mode, we must set the the ciphertext length if AAD data
498 * are provided from <aad> buffer with <aad_len> as length. This is always the
499 * case here. So the caller of this function must provide <aad>. Also note that
500 * there is no need to call EVP_DecryptFinal_ex for CCM mode.
501 *
502 * https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
503 *
504 * Return 1 if succeeded, 0 if not.
505 */
506int quic_tls_decrypt2(unsigned char *out,
507 unsigned char *in, size_t len,
508 unsigned char *aad, size_t aad_len,
509 EVP_CIPHER_CTX *ctx, const EVP_CIPHER *aead,
510 const unsigned char *key, const unsigned char *iv)
511{
512 int outlen;
513 int aead_nid = EVP_CIPHER_nid(aead);
514
515 len -= QUIC_TLS_TAG_LEN;
516 if (!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) ||
517 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, QUIC_TLS_TAG_LEN, in + len) ||
518 (aead_nid == NID_aes_128_ccm &&
519 !EVP_DecryptUpdate(ctx, NULL, &outlen, NULL, len)) ||
520 !EVP_DecryptUpdate(ctx, NULL, &outlen, aad, aad_len) ||
521 !EVP_DecryptUpdate(ctx, out, &outlen, in, len) ||
522 (aead_nid != NID_aes_128_ccm &&
523 !EVP_DecryptFinal_ex(ctx, out + outlen, &outlen)))
524 return 0;
525
526 return 1;
527}
528
Frédéric Lécaillea9c5d8d2022-05-12 14:44:51 +0200[diff] [blame]529/* Derive <key> and <iv> key and IV to be used to encrypt a retry token
530 * with <secret> which is not pseudo-random.
531 * Return 1 if succeeded, 0 if not.
532 */
533int quic_tls_derive_retry_token_secret(const EVP_MD *md,
534 unsigned char *key, size_t keylen,
535 unsigned char *iv, size_t ivlen,
536 const unsigned char *salt, size_t saltlen,
537 const unsigned char *secret, size_t secretlen)
538{
539 unsigned char tmpkey[QUIC_TLS_KEY_LEN];
540 const unsigned char tmpkey_label[] = "retry token";
541 const unsigned char key_label[] = "retry token key";
542 const unsigned char iv_label[] = "retry token iv";
543
544 if (!quic_hkdf_extract_and_expand(md, tmpkey, sizeof tmpkey,
545 secret, secretlen, salt, saltlen,
546 tmpkey_label, sizeof tmpkey_label - 1) ||
547 !quic_hkdf_expand(md, key, keylen, tmpkey, sizeof tmpkey,
548 key_label, sizeof key_label - 1) ||
549 !quic_hkdf_expand(md, iv, ivlen, secret, secretlen,
550 iv_label, sizeof iv_label - 1))
551 return 0;
552
553 return 1;
554}
555
Amaury Denoyelle6efec292022-01-11 11:57:00 +0100[diff] [blame]556/* Generate the AEAD tag for the Retry packet <pkt> of <pkt_len> bytes and
557 * write it to <tag>. The tag is written just after the <pkt> area. It should
558 * be at least 16 bytes longs. <odcid> is the CID of the Initial packet
559 * received which triggers the Retry.
560 *
561 * Returns non-zero on success else zero.
562 */
563int quic_tls_generate_retry_integrity_tag(unsigned char *odcid,
564 unsigned char odcid_len,
565 unsigned char *pkt, size_t pkt_len)
566{
567 const EVP_CIPHER *evp = EVP_aes_128_gcm();
568 EVP_CIPHER_CTX *ctx;
569
570 /* key/nonce from rfc9001 5.8. Retry Packet Integrity */
571 const unsigned char key[] = {
572 0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a,
573 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e,
574 };
575 const unsigned char nonce[] = {
576 0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb,
577 };
578
579 /* encryption buffer - not used as only AEAD tag generation is proceed */
580 unsigned char *out = NULL;
581 /* address to store the AEAD tag */
582 unsigned char *tag = pkt + pkt_len;
583 int outlen, ret = 0;
584
585 ctx = EVP_CIPHER_CTX_new();
586 if (!ctx)
587 return 0;
588
589 /* rfc9001 5.8. Retry Packet Integrity
590 *
591 * AEAD is proceed over a pseudo-Retry packet used as AAD. It contains
592 * the ODCID len + data and the Retry packet itself.
593 */
594 if (!EVP_EncryptInit_ex(ctx, evp, NULL, key, nonce) ||
595 /* specify pseudo-Retry as AAD */
596 !EVP_EncryptUpdate(ctx, NULL, &outlen, &odcid_len, sizeof(odcid_len)) ||
597 !EVP_EncryptUpdate(ctx, NULL, &outlen, odcid, odcid_len) ||
598 !EVP_EncryptUpdate(ctx, NULL, &outlen, pkt, pkt_len) ||
599 /* finalize */
600 !EVP_EncryptFinal_ex(ctx, out, &outlen) ||
601 /* store the tag */
602 !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, QUIC_TLS_TAG_LEN, tag)) {
603 goto out;
604 }
605 ret = 1;
606
607 out:
608 EVP_CIPHER_CTX_free(ctx);
609 return ret;
610}