quic_record_util.c
/*
* Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "internal/quic_record_util.h"
#include "internal/quic_record_rx.h"
#include "internal/quic_record_tx.h"
#include "internal/quic_wire_pkt.h"
#include "../ssl_local.h"
#include <openssl/kdf.h>
#include <openssl/core_names.h>
/*
* QUIC Key Derivation Utilities
* =============================
*/
int ossl_quic_hkdf_extract(OSSL_LIB_CTX *libctx,
const char *propq,
const EVP_MD *md,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
unsigned char *out, size_t out_len)
{
int ret = 0;
EVP_KDF *kdf = NULL;
EVP_KDF_CTX *kctx = NULL;
OSSL_PARAM params[7], *p = params;
int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY;
const char *md_name;
if ((md_name = EVP_MD_get0_name(md)) == NULL
|| (kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_HKDF, propq)) == NULL
|| (kctx = EVP_KDF_CTX_new(kdf)) == NULL)
goto err;
*p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode);
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
(char *)md_name, 0);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
(unsigned char *)salt, salt_len);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
(unsigned char *)ikm, ikm_len);
*p++ = OSSL_PARAM_construct_end();
ret = EVP_KDF_derive(kctx, out, out_len, params);
err:
EVP_KDF_CTX_free(kctx);
EVP_KDF_free(kdf);
return ret;
}
/* Constants used for key derivation in QUIC v1. */
static const unsigned char quic_client_in_label[] = {
0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e /* "client in" */
};
static const unsigned char quic_server_in_label[] = {
0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x69, 0x6e /* "server in" */
};
/* Salt used to derive Initial packet protection keys (RFC 9001 Section 5.2). */
static const unsigned char quic_v1_initial_salt[] = {
0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17,
0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a
};
int ossl_quic_provide_initial_secret(OSSL_LIB_CTX *libctx,
const char *propq,
const QUIC_CONN_ID *dst_conn_id,
int is_server,
struct ossl_qrx_st *qrx,
struct ossl_qtx_st *qtx)
{
unsigned char initial_secret[32];
unsigned char client_initial_secret[32], server_initial_secret[32];
unsigned char *rx_secret, *tx_secret;
EVP_MD *sha256;
if (qrx == NULL && qtx == NULL)
return 1;
/* Initial encryption always uses SHA-256. */
if ((sha256 = EVP_MD_fetch(libctx, "SHA256", propq)) == NULL)
return 0;
if (is_server) {
rx_secret = client_initial_secret;
tx_secret = server_initial_secret;
} else {
rx_secret = server_initial_secret;
tx_secret = client_initial_secret;
}
/* Derive initial secret from destination connection ID. */
if (!ossl_quic_hkdf_extract(libctx, propq,
sha256,
quic_v1_initial_salt,
sizeof(quic_v1_initial_salt),
dst_conn_id->id,
dst_conn_id->id_len,
initial_secret,
sizeof(initial_secret)))
goto err;
/* Derive "client in" secret. */
if (((qtx != NULL && tx_secret == client_initial_secret)
|| (qrx != NULL && rx_secret == client_initial_secret))
&& !tls13_hkdf_expand_ex(libctx, propq,
sha256,
initial_secret,
quic_client_in_label,
sizeof(quic_client_in_label),
NULL, 0,
client_initial_secret,
sizeof(client_initial_secret), 1))
goto err;
/* Derive "server in" secret. */
if (((qtx != NULL && tx_secret == server_initial_secret)
|| (qrx != NULL && rx_secret == server_initial_secret))
&& !tls13_hkdf_expand_ex(libctx, propq,
sha256,
initial_secret,
quic_server_in_label,
sizeof(quic_server_in_label),
NULL, 0,
server_initial_secret,
sizeof(server_initial_secret), 1))
goto err;
/* Setup RX EL. Initial encryption always uses AES-128-GCM. */
if (qrx != NULL
&& !ossl_qrx_provide_secret(qrx, QUIC_ENC_LEVEL_INITIAL,
QRL_SUITE_AES128GCM,
sha256,
rx_secret,
sizeof(server_initial_secret)))
goto err;
/*
* ossl_qrx_provide_secret takes ownership of our ref to SHA256, so if we
* are initialising both sides, get a new ref for the following call for the
* TX side.
*/
if (qrx != NULL && qtx != NULL && !EVP_MD_up_ref(sha256)) {
sha256 = NULL;
goto err;
}
/* Setup TX cipher. */
if (qtx != NULL
&& !ossl_qtx_provide_secret(qtx, QUIC_ENC_LEVEL_INITIAL,
QRL_SUITE_AES128GCM,
sha256,
tx_secret,
sizeof(server_initial_secret)))
goto err;
return 1;
err:
EVP_MD_free(sha256);
return 0;
}
/*
* QUIC Record Layer Ciphersuite Info
* ==================================
*/
struct suite_info {
const char *cipher_name, *md_name;
uint32_t secret_len, cipher_key_len, cipher_iv_len, cipher_tag_len;
uint32_t hdr_prot_key_len, hdr_prot_cipher_id;
uint64_t max_pkt, max_forged_pkt;
};
static const struct suite_info suite_aes128gcm = {
"AES-128-GCM", "SHA256", 32, 16, 12, 16, 16,
QUIC_HDR_PROT_CIPHER_AES_128,
((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */
((uint64_t)1) << 52,
};
static const struct suite_info suite_aes256gcm = {
"AES-256-GCM", "SHA384", 48, 32, 12, 16, 32,
QUIC_HDR_PROT_CIPHER_AES_256,
((uint64_t)1) << 23, /* Limits as prescribed by RFC 9001 */
((uint64_t)1) << 52,
};
static const struct suite_info suite_chacha20poly1305 = {
"ChaCha20-Poly1305", "SHA256", 32, 32, 12, 16, 32,
QUIC_HDR_PROT_CIPHER_CHACHA,
/* Do not use UINT64_MAX here as this represents an invalid value */
UINT64_MAX - 1, /* No applicable limit for this suite (RFC 9001) */
((uint64_t)1) << 36, /* Limit as prescribed by RFC 9001 */
};
static const struct suite_info *get_suite(uint32_t suite_id)
{
switch (suite_id) {
case QRL_SUITE_AES128GCM:
return &suite_aes128gcm;
case QRL_SUITE_AES256GCM:
return &suite_aes256gcm;
case QRL_SUITE_CHACHA20POLY1305:
return &suite_chacha20poly1305;
default:
return NULL;
}
}
const char *ossl_qrl_get_suite_cipher_name(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->cipher_name : NULL;
}
const char *ossl_qrl_get_suite_md_name(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->md_name : NULL;
}
uint32_t ossl_qrl_get_suite_secret_len(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->secret_len : 0;
}
uint32_t ossl_qrl_get_suite_cipher_key_len(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->cipher_key_len : 0;
}
uint32_t ossl_qrl_get_suite_cipher_iv_len(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->cipher_iv_len : 0;
}
uint32_t ossl_qrl_get_suite_cipher_tag_len(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->cipher_tag_len : 0;
}
uint32_t ossl_qrl_get_suite_hdr_prot_cipher_id(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->hdr_prot_cipher_id : 0;
}
uint32_t ossl_qrl_get_suite_hdr_prot_key_len(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->hdr_prot_key_len : 0;
}
uint64_t ossl_qrl_get_suite_max_pkt(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->max_pkt : UINT64_MAX;
}
uint64_t ossl_qrl_get_suite_max_forged_pkt(uint32_t suite_id)
{
const struct suite_info *c = get_suite(suite_id);
return c != NULL ? c->max_forged_pkt : UINT64_MAX;
}
