Google Git
Sign in
fuchsia / third_party / rust-mirrors / quiche / f63c440d312944dcb54339070a7b142ba82aab42 / . / src / crypto.rs
blob: 61c53b1eb75a198b415e63ca25f08999aa1376fa [file] [log] [blame]
// Copyright (C) 2018, Cloudflare, Inc.
// Copyright (C) 2018, Alessandro Ghedini
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright notice,
// this list of conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
// THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
// PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
// EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
use ring::aead;
use ring::hkdf;
use crate::Error;
use crate::Result;
use crate::packet;
#[repr(C)]
#[derive(Clone, Copy, Debug, PartialEq)]
pub enum Level {
Initial = 0,
// Silence "variant is never constructed" warning because the value can
// be received from BoringSSL as part of the FFI callbacks.
#[allow(dead_code)]
ZeroRTT = 1,
Handshake = 2,
OneRTT = 3,
}
impl Level {
pub fn from_epoch(e: packet::Epoch) -> Level {
match e {
packet::EPOCH_INITIAL => Level::Initial,
packet::EPOCH_HANDSHAKE => Level::Handshake,
packet::EPOCH_APPLICATION => Level::OneRTT,
_ => unreachable!(),
}
}
}
#[derive(Clone, Copy, Debug, PartialEq)]
pub enum Algorithm {
#[allow(non_camel_case_types)]
AES128_GCM,
#[allow(non_camel_case_types)]
AES256_GCM,
#[allow(non_camel_case_types)]
ChaCha20_Poly1305,
}
impl Algorithm {
fn get_ring_aead(self) -> &'static aead::Algorithm {
match self {
Algorithm::AES128_GCM => &aead::AES_128_GCM,
Algorithm::AES256_GCM => &aead::AES_256_GCM,
Algorithm::ChaCha20_Poly1305 => &aead::CHACHA20_POLY1305,
}
}
fn get_ring_hp(self) -> &'static aead::quic::Algorithm {
match self {
Algorithm::AES128_GCM => &aead::quic::AES_128,
Algorithm::AES256_GCM => &aead::quic::AES_256,
Algorithm::ChaCha20_Poly1305 => &aead::quic::CHACHA20,
}
}
fn get_ring_digest(self) -> hkdf::Algorithm {
match self {
Algorithm::AES128_GCM => hkdf::HKDF_SHA256,
Algorithm::AES256_GCM => hkdf::HKDF_SHA384,
Algorithm::ChaCha20_Poly1305 => hkdf::HKDF_SHA256,
}
}
pub fn key_len(self) -> usize {
self.get_ring_aead().key_len()
}
pub fn tag_len(self) -> usize {
if cfg!(feature = "fuzzing") {
return 0;
}
self.get_ring_aead().tag_len()
}
pub fn nonce_len(self) -> usize {
self.get_ring_aead().nonce_len()
}
}
pub struct Open {
alg: Algorithm,
hp_key: aead::quic::HeaderProtectionKey,
key: aead::LessSafeKey,
nonce: Vec<u8>,
}
impl Open {
pub fn new(
alg: Algorithm, key: &[u8], iv: &[u8], hp_key: &[u8],
) -> Result<Open> {
Ok(Open {
hp_key: aead::quic::HeaderProtectionKey::new(
alg.get_ring_hp(),
hp_key,
)
.map_err(|_| Error::CryptoFail)?,
key: aead::LessSafeKey::new(
aead::UnboundKey::new(alg.get_ring_aead(), key)
.map_err(|_| Error::CryptoFail)?,
),
nonce: Vec::from(iv),
alg,
})
}
pub fn open_with_u64_counter(
&self, counter: u64, ad: &[u8], buf: &mut [u8],
) -> Result<usize> {
if cfg!(feature = "fuzzing") {
return Ok(buf.len());
}
let nonce = make_nonce(&self.nonce, counter);
let ad = aead::Aad::from(ad);
let plain = self
.key
.open_in_place(nonce, ad, buf)
.map_err(|_| Error::CryptoFail)?;
Ok(plain.len())
}
pub fn new_mask(&self, sample: &[u8]) -> Result<[u8; 5]> {
if cfg!(feature = "fuzzing") {
return Ok(<[u8; 5]>::default());
}
let mask = self
.hp_key
.new_mask(sample)
.map_err(|_| Error::CryptoFail)?;
Ok(mask)
}
pub fn alg(&self) -> Algorithm {
self.alg
}
}
pub struct Seal {
alg: Algorithm,
hp_key: aead::quic::HeaderProtectionKey,
key: aead::LessSafeKey,
nonce: Vec<u8>,
}
impl Seal {
pub fn new(
alg: Algorithm, key: &[u8], iv: &[u8], hp_key: &[u8],
) -> Result<Seal> {
Ok(Seal {
hp_key: aead::quic::HeaderProtectionKey::new(
alg.get_ring_hp(),
hp_key,
)
.map_err(|_| Error::CryptoFail)?,
key: aead::LessSafeKey::new(
aead::UnboundKey::new(alg.get_ring_aead(), key)
.map_err(|_| Error::CryptoFail)?,
),
nonce: Vec::from(iv),
alg,
})
}
pub fn seal_with_u64_counter(
&self, counter: u64, ad: &[u8], buf: &mut [u8],
) -> Result<()> {
if cfg!(feature = "fuzzing") {
return Ok(());
}
let nonce = make_nonce(&self.nonce, counter);
let ad = aead::Aad::from(ad);
let tag_len = self.alg().tag_len();
let in_out_len =
buf.len().checked_sub(tag_len).ok_or(Error::CryptoFail)?;
let (in_out, tag_out) = buf.split_at_mut(in_out_len);
let tag = self
.key
.seal_in_place_separate_tag(nonce, ad, in_out)
.map_err(|_| Error::CryptoFail)?;
// Append the AEAD tag to the end of the sealed buffer.
tag_out.copy_from_slice(tag.as_ref());
Ok(())
}
pub fn new_mask(&self, sample: &[u8]) -> Result<[u8; 5]> {
if cfg!(feature = "fuzzing") {
return Ok(<[u8; 5]>::default());
}
let mask = self
.hp_key
.new_mask(sample)
.map_err(|_| Error::CryptoFail)?;
Ok(mask)
}
pub fn alg(&self) -> Algorithm {
self.alg
}
}
pub fn derive_initial_key_material(
cid: &[u8], is_server: bool,
) -> Result<(Open, Seal)> {
let mut secret = [0; 32];
let aead = Algorithm::AES128_GCM;
let key_len = aead.key_len();
let nonce_len = aead.nonce_len();
let initial_secret = derive_initial_secret(&cid)?;
// Client.
let mut client_key = vec![0; key_len];
let mut client_iv = vec![0; nonce_len];
let mut client_hp_key = vec![0; key_len];
derive_client_initial_secret(&initial_secret, &mut secret)?;
derive_pkt_key(aead, &secret, &mut client_key)?;
derive_pkt_iv(aead, &secret, &mut client_iv)?;
derive_hdr_key(aead, &secret, &mut client_hp_key)?;
// Server.
let mut server_key = vec![0; key_len];
let mut server_iv = vec![0; nonce_len];
let mut server_hp_key = vec![0; key_len];
derive_server_initial_secret(&initial_secret, &mut secret)?;
derive_pkt_key(aead, &secret, &mut server_key)?;
derive_pkt_iv(aead, &secret, &mut server_iv)?;
derive_hdr_key(aead, &secret, &mut server_hp_key)?;
let (open, seal) = if is_server {
(
Open::new(aead, &client_key, &client_iv, &client_hp_key)?,
Seal::new(aead, &server_key, &server_iv, &server_hp_key)?,
)
} else {
(
Open::new(aead, &server_key, &server_iv, &server_hp_key)?,
Seal::new(aead, &client_key, &client_iv, &client_hp_key)?,
)
};
Ok((open, seal))
}
fn derive_initial_secret(secret: &[u8]) -> Result<hkdf::Prk> {
const INITIAL_SALT: [u8; 20] = [
0xc3, 0xee, 0xf7, 0x12, 0xc7, 0x2e, 0xbb, 0x5a, 0x11, 0xa7, 0xd2, 0x43,
0x2b, 0xb4, 0x63, 0x65, 0xbe, 0xf9, 0xf5, 0x02,
];
let salt = hkdf::Salt::new(hkdf::HKDF_SHA256, &INITIAL_SALT);
Ok(salt.extract(secret))
}
fn derive_client_initial_secret(prk: &hkdf::Prk, out: &mut [u8]) -> Result<()> {
const LABEL: &[u8] = b"client in";
hkdf_expand_label(prk, LABEL, out)
}
fn derive_server_initial_secret(prk: &hkdf::Prk, out: &mut [u8]) -> Result<()> {
const LABEL: &[u8] = b"server in";
hkdf_expand_label(prk, LABEL, out)
}
pub fn derive_hdr_key(
aead: Algorithm, secret: &[u8], out: &mut [u8],
) -> Result<()> {
const LABEL: &[u8] = b"quic hp";
let key_len = aead.key_len();
if key_len > out.len() {
return Err(Error::CryptoFail);
}
let secret = hkdf::Prk::new_less_safe(aead.get_ring_digest(), secret);
hkdf_expand_label(&secret, LABEL, &mut out[..key_len])
}
pub fn derive_pkt_key(
aead: Algorithm, secret: &[u8], out: &mut [u8],
) -> Result<()> {
const LABEL: &[u8] = b"quic key";
let key_len = aead.key_len();
if key_len > out.len() {
return Err(Error::CryptoFail);
}
let secret = hkdf::Prk::new_less_safe(aead.get_ring_digest(), secret);
hkdf_expand_label(&secret, LABEL, &mut out[..key_len])
}
pub fn derive_pkt_iv(
aead: Algorithm, secret: &[u8], out: &mut [u8],
) -> Result<()> {
const LABEL: &[u8] = b"quic iv";
let nonce_len = aead.nonce_len();
if nonce_len > out.len() {
return Err(Error::CryptoFail);
}
let secret = hkdf::Prk::new_less_safe(aead.get_ring_digest(), secret);
hkdf_expand_label(&secret, LABEL, &mut out[..nonce_len])
}
fn hkdf_expand_label(
prk: &hkdf::Prk, label: &[u8], out: &mut [u8],
) -> Result<()> {
const LABEL_PREFIX: &[u8] = b"tls13 ";
let out_len = (out.len() as u16).to_be_bytes();
let label_len = (LABEL_PREFIX.len() + label.len()) as u8;
let info = [&out_len, &[label_len][..], LABEL_PREFIX, label, &[0][..]];
prk.expand(&info, ArbitraryOutputLen(out.len()))
.map_err(|_| Error::CryptoFail)?
.fill(out)
.map_err(|_| Error::CryptoFail)?;
Ok(())
}
fn make_nonce(iv: &[u8], counter: u64) -> aead::Nonce {
let mut nonce = [0; 12];
nonce.copy_from_slice(&iv);
// XOR the last bytes of the IV with the counter. This is equivalent to
// left-padding the counter with zero bytes.
for (a, b) in nonce[4..].iter_mut().zip(counter.to_be_bytes().iter()) {
*a ^= b;
}
aead::Nonce::assume_unique_for_key(nonce)
}
// The ring HKDF expand() API does not accept an arbitrary output length, so we
// need to hide the `usize` length as part of a type that implements the trait
// `ring::hkdf::KeyType` in order to trick ring into accepting it.
struct ArbitraryOutputLen(usize);
impl hkdf::KeyType for ArbitraryOutputLen {
fn len(&self) -> usize {
self.0
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn derive_initial_secrets() {
let dcid = [0x83, 0x94, 0xc8, 0xf0, 0x3e, 0x51, 0x57, 0x08];
let mut secret = [0; 32];
let mut pkt_key = [0; 16];
let mut pkt_iv = [0; 12];
let mut hdr_key = [0; 16];
let aead = Algorithm::AES128_GCM;
let initial_secret = derive_initial_secret(&dcid).unwrap();
// Client.
assert!(
derive_client_initial_secret(&initial_secret, &mut secret).is_ok()
);
let expected_client_initial_secret = [
0xfd, 0xa3, 0x95, 0x3a, 0xec, 0xc0, 0x40, 0xe4, 0x8b, 0x34, 0xe2,
0x7e, 0xf8, 0x7d, 0xe3, 0xa6, 0x09, 0x8e, 0xcf, 0x0e, 0x38, 0xb7,
0xe0, 0x32, 0xc5, 0xc5, 0x7b, 0xcb, 0xd5, 0x97, 0x5b, 0x84,
];
assert_eq!(&secret, &expected_client_initial_secret);
assert!(derive_pkt_key(aead, &secret, &mut pkt_key).is_ok());
let expected_client_pkt_key = [
0xaf, 0x7f, 0xd7, 0xef, 0xeb, 0xd2, 0x18, 0x78, 0xff, 0x66, 0x81,
0x12, 0x48, 0x98, 0x36, 0x94,
];
assert_eq!(&pkt_key, &expected_client_pkt_key);
assert!(derive_pkt_iv(aead, &secret, &mut pkt_iv).is_ok());
let expected_client_pkt_iv = [
0x86, 0x81, 0x35, 0x94, 0x10, 0xa7, 0x0b, 0xb9, 0xc9, 0x2f, 0x04,
0x20,
];
assert_eq!(&pkt_iv, &expected_client_pkt_iv);
assert!(derive_hdr_key(aead, &secret, &mut hdr_key).is_ok());
let expected_client_hdr_key = [
0xa9, 0x80, 0xb8, 0xb4, 0xfb, 0x7d, 0x9f, 0xbc, 0x13, 0xe8, 0x14,
0xc2, 0x31, 0x64, 0x25, 0x3d,
];
assert_eq!(&hdr_key, &expected_client_hdr_key);
// Server.
assert!(
derive_server_initial_secret(&initial_secret, &mut secret).is_ok()
);
let expected_server_initial_secret = [
0x55, 0x43, 0x66, 0xb8, 0x19, 0x12, 0xff, 0x90, 0xbe, 0x41, 0xf1,
0x7e, 0x80, 0x22, 0x21, 0x30, 0x90, 0xab, 0x17, 0xd8, 0x14, 0x91,
0x79, 0xbc, 0xad, 0xf2, 0x22, 0xf2, 0x9f, 0xf2, 0xdd, 0xd5,
];
assert_eq!(&secret, &expected_server_initial_secret);
assert!(derive_pkt_key(aead, &secret, &mut pkt_key).is_ok());
let expected_server_pkt_key = [
0x5d, 0x51, 0xda, 0x9e, 0xe8, 0x97, 0xa2, 0x1b, 0x26, 0x59, 0xcc,
0xc7, 0xe5, 0xbf, 0xa5, 0x77,
];
assert_eq!(&pkt_key, &expected_server_pkt_key);
assert!(derive_pkt_iv(aead, &secret, &mut pkt_iv).is_ok());
let expected_server_pkt_iv = [
0x5e, 0x5a, 0xe6, 0x51, 0xfd, 0x1e, 0x84, 0x95, 0xaf, 0x13, 0x50,
0x8b,
];
assert_eq!(&pkt_iv, &expected_server_pkt_iv);
assert!(derive_hdr_key(aead, &secret, &mut hdr_key).is_ok());
let expected_server_hdr_key = [
0xa8, 0xed, 0x82, 0xe6, 0x66, 0x4f, 0x86, 0x5a, 0xed, 0xf6, 0x10,
0x69, 0x43, 0xf9, 0x5f, 0xb8,
];
assert_eq!(&hdr_key, &expected_server_hdr_key);
}
}