blob: 428edb7dd5f9abda5d82f86b3f864d0a507d82a6 [file] [log] [blame]
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "quiche/quic/core/crypto/crypto_utils.h"
#include <memory>
#include <string>
#include <utility>
#include "absl/base/macros.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/string_view.h"
#include "openssl/bytestring.h"
#include "openssl/hkdf.h"
#include "openssl/mem.h"
#include "openssl/sha.h"
#include "quiche/quic/core/crypto/aes_128_gcm_12_decrypter.h"
#include "quiche/quic/core/crypto/aes_128_gcm_12_encrypter.h"
#include "quiche/quic/core/crypto/aes_128_gcm_decrypter.h"
#include "quiche/quic/core/crypto/aes_128_gcm_encrypter.h"
#include "quiche/quic/core/crypto/crypto_handshake.h"
#include "quiche/quic/core/crypto/crypto_protocol.h"
#include "quiche/quic/core/crypto/null_decrypter.h"
#include "quiche/quic/core/crypto/null_encrypter.h"
#include "quiche/quic/core/crypto/quic_decrypter.h"
#include "quiche/quic/core/crypto/quic_encrypter.h"
#include "quiche/quic/core/crypto/quic_hkdf.h"
#include "quiche/quic/core/crypto/quic_random.h"
#include "quiche/quic/core/quic_connection_id.h"
#include "quiche/quic/core/quic_constants.h"
#include "quiche/quic/core/quic_data_writer.h"
#include "quiche/quic/core/quic_time.h"
#include "quiche/quic/core/quic_utils.h"
#include "quiche/quic/core/quic_versions.h"
#include "quiche/quic/platform/api/quic_bug_tracker.h"
#include "quiche/quic/platform/api/quic_logging.h"
#include "quiche/common/quiche_endian.h"
namespace quic {
namespace {
// Implements the HKDF-Expand-Label function as defined in section 7.1 of RFC
// 8446. The HKDF-Expand-Label function takes 4 explicit arguments (Secret,
// Label, Context, and Length), as well as implicit PRF which is the hash
// function negotiated by TLS. Its use in QUIC (as needed by the QUIC stack,
// instead of as used internally by the TLS stack) is only for deriving initial
// secrets for obfuscation, for calculating packet protection keys and IVs from
// the corresponding packet protection secret and key update in the same quic
// session. None of these uses need a Context (a zero-length context is
// provided), so this argument is omitted here.
//
// The implicit PRF is explicitly passed into HkdfExpandLabel as |prf|; the
// Secret, Label, and Length are passed in as |secret|, |label|, and
// |out_len|, respectively. The resulting expanded secret is returned.
std::vector<uint8_t> HkdfExpandLabel(const EVP_MD* prf,
absl::Span<const uint8_t> secret,
const std::string& label, size_t out_len) {
bssl::ScopedCBB quic_hkdf_label;
CBB inner_label;
const char label_prefix[] = "tls13 ";
// 20 = size(u16) + size(u8) + len("tls13 ") +
// max_len("client in", "server in", "quicv2 key", ... ) +
// size(u8);
static const size_t max_quic_hkdf_label_length = 20;
if (!CBB_init(quic_hkdf_label.get(), max_quic_hkdf_label_length) ||
!CBB_add_u16(quic_hkdf_label.get(), out_len) ||
!CBB_add_u8_length_prefixed(quic_hkdf_label.get(), &inner_label) ||
!CBB_add_bytes(&inner_label,
reinterpret_cast<const uint8_t*>(label_prefix),
ABSL_ARRAYSIZE(label_prefix) - 1) ||
!CBB_add_bytes(&inner_label,
reinterpret_cast<const uint8_t*>(label.data()),
label.size()) ||
// Zero length |Context|.
!CBB_add_u8(quic_hkdf_label.get(), 0) ||
!CBB_flush(quic_hkdf_label.get())) {
QUIC_LOG(ERROR) << "Building HKDF label failed";
return std::vector<uint8_t>();
}
std::vector<uint8_t> out;
out.resize(out_len);
if (!HKDF_expand(out.data(), out_len, prf, secret.data(), secret.size(),
CBB_data(quic_hkdf_label.get()),
CBB_len(quic_hkdf_label.get()))) {
QUIC_LOG(ERROR) << "Running HKDF-Expand-Label failed";
return std::vector<uint8_t>();
}
return out;
}
} // namespace
const std::string getLabelForVersion(const ParsedQuicVersion& version,
const absl::string_view& predicate) {
static_assert(SupportedVersions().size() == 6u,
"Supported versions out of sync with HKDF labels");
if (version == ParsedQuicVersion::V2Draft01()) {
return absl::StrCat("quicv2 ", predicate);
} else {
return absl::StrCat("quic ", predicate);
}
}
void CryptoUtils::InitializeCrypterSecrets(
const EVP_MD* prf, const std::vector<uint8_t>& pp_secret,
const ParsedQuicVersion& version, QuicCrypter* crypter) {
SetKeyAndIV(prf, pp_secret, version, crypter);
std::vector<uint8_t> header_protection_key = GenerateHeaderProtectionKey(
prf, pp_secret, version, crypter->GetKeySize());
crypter->SetHeaderProtectionKey(
absl::string_view(reinterpret_cast<char*>(header_protection_key.data()),
header_protection_key.size()));
}
void CryptoUtils::SetKeyAndIV(const EVP_MD* prf,
absl::Span<const uint8_t> pp_secret,
const ParsedQuicVersion& version,
QuicCrypter* crypter) {
std::vector<uint8_t> key =
HkdfExpandLabel(prf, pp_secret, getLabelForVersion(version, "key"),
crypter->GetKeySize());
std::vector<uint8_t> iv = HkdfExpandLabel(
prf, pp_secret, getLabelForVersion(version, "iv"), crypter->GetIVSize());
crypter->SetKey(
absl::string_view(reinterpret_cast<char*>(key.data()), key.size()));
crypter->SetIV(
absl::string_view(reinterpret_cast<char*>(iv.data()), iv.size()));
}
std::vector<uint8_t> CryptoUtils::GenerateHeaderProtectionKey(
const EVP_MD* prf, absl::Span<const uint8_t> pp_secret,
const ParsedQuicVersion& version, size_t out_len) {
return HkdfExpandLabel(prf, pp_secret, getLabelForVersion(version, "hp"),
out_len);
}
std::vector<uint8_t> CryptoUtils::GenerateNextKeyPhaseSecret(
const EVP_MD* prf, const ParsedQuicVersion& version,
const std::vector<uint8_t>& current_secret) {
return HkdfExpandLabel(prf, current_secret, getLabelForVersion(version, "ku"),
current_secret.size());
}
namespace {
// Salt from https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-5.2
const uint8_t kDraft29InitialSalt[] = {0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2,
0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61,
0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99};
const uint8_t kRFCv1InitialSalt[] = {0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34,
0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8,
0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a};
const uint8_t kV2Draft01InitialSalt[] = {
0xa7, 0x07, 0xc2, 0x03, 0xa5, 0x9b, 0x47, 0x18, 0x4a, 0x1d,
0x62, 0xca, 0x57, 0x04, 0x06, 0xea, 0x7a, 0xe3, 0xe5, 0xd3};
// Salts used by deployed versions of QUIC. When introducing a new version,
// generate a new salt by running `openssl rand -hex 20`.
// Salt to use for initial obfuscators in version Q050.
const uint8_t kQ050Salt[] = {0x50, 0x45, 0x74, 0xef, 0xd0, 0x66, 0xfe,
0x2f, 0x9d, 0x94, 0x5c, 0xfc, 0xdb, 0xd3,
0xa7, 0xf0, 0xd3, 0xb5, 0x6b, 0x45};
// Salt to use for initial obfuscators in
// ParsedQuicVersion::ReservedForNegotiation().
const uint8_t kReservedForNegotiationSalt[] = {
0xf9, 0x64, 0xbf, 0x45, 0x3a, 0x1f, 0x1b, 0x80, 0xa5, 0xf8,
0x82, 0x03, 0x77, 0xd4, 0xaf, 0xca, 0x58, 0x0e, 0xe7, 0x43};
const uint8_t* InitialSaltForVersion(const ParsedQuicVersion& version,
size_t* out_len) {
static_assert(SupportedVersions().size() == 6u,
"Supported versions out of sync with initial encryption salts");
if (version == ParsedQuicVersion::V2Draft01()) {
*out_len = ABSL_ARRAYSIZE(kV2Draft01InitialSalt);
return kV2Draft01InitialSalt;
} else if (version == ParsedQuicVersion::RFCv1()) {
*out_len = ABSL_ARRAYSIZE(kRFCv1InitialSalt);
return kRFCv1InitialSalt;
} else if (version == ParsedQuicVersion::Draft29()) {
*out_len = ABSL_ARRAYSIZE(kDraft29InitialSalt);
return kDraft29InitialSalt;
} else if (version == ParsedQuicVersion::Q050()) {
*out_len = ABSL_ARRAYSIZE(kQ050Salt);
return kQ050Salt;
} else if (version == ParsedQuicVersion::ReservedForNegotiation()) {
*out_len = ABSL_ARRAYSIZE(kReservedForNegotiationSalt);
return kReservedForNegotiationSalt;
}
QUIC_BUG(quic_bug_10699_1)
<< "No initial obfuscation salt for version " << version;
*out_len = ABSL_ARRAYSIZE(kReservedForNegotiationSalt);
return kReservedForNegotiationSalt;
}
const char kPreSharedKeyLabel[] = "QUIC PSK";
// Retry Integrity Protection Keys and Nonces.
// https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-5.8
// When introducing a new Google version, generate a new key by running
// `openssl rand -hex 16`.
const uint8_t kDraft29RetryIntegrityKey[] = {0xcc, 0xce, 0x18, 0x7e, 0xd0, 0x9a,
0x09, 0xd0, 0x57, 0x28, 0x15, 0x5a,
0x6c, 0xb9, 0x6b, 0xe1};
const uint8_t kDraft29RetryIntegrityNonce[] = {
0xe5, 0x49, 0x30, 0xf9, 0x7f, 0x21, 0x36, 0xf0, 0x53, 0x0a, 0x8c, 0x1c};
const uint8_t kRFCv1RetryIntegrityKey[] = {0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66,
0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54,
0xe3, 0x68, 0xc8, 0x4e};
const uint8_t kRFCv1RetryIntegrityNonce[] = {
0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb};
const uint8_t kV2Draft01RetryIntegrityKey[] = {
0xba, 0x85, 0x8d, 0xc7, 0xb4, 0x3d, 0xe5, 0xdb,
0xf8, 0x76, 0x17, 0xff, 0x4a, 0xb2, 0x53, 0xdb};
const uint8_t kV2Draft01RetryIntegrityNonce[] = {
0x14, 0x1b, 0x99, 0xc2, 0x39, 0xb0, 0x3e, 0x78, 0x5d, 0x6a, 0x2e, 0x9f};
// Retry integrity key used by ParsedQuicVersion::ReservedForNegotiation().
const uint8_t kReservedForNegotiationRetryIntegrityKey[] = {
0xf2, 0xcd, 0x8f, 0xe0, 0x36, 0xd0, 0x25, 0x35,
0x03, 0xe6, 0x7c, 0x7b, 0xd2, 0x44, 0xca, 0xd9};
// When introducing a new Google version, generate a new nonce by running
// `openssl rand -hex 12`.
// Retry integrity nonce used by ParsedQuicVersion::ReservedForNegotiation().
const uint8_t kReservedForNegotiationRetryIntegrityNonce[] = {
0x35, 0x9f, 0x16, 0xd1, 0xed, 0x80, 0x90, 0x8e, 0xec, 0x85, 0xc4, 0xd6};
bool RetryIntegrityKeysForVersion(const ParsedQuicVersion& version,
absl::string_view* key,
absl::string_view* nonce) {
static_assert(SupportedVersions().size() == 6u,
"Supported versions out of sync with retry integrity keys");
if (!version.UsesTls()) {
QUIC_BUG(quic_bug_10699_2)
<< "Attempted to get retry integrity keys for invalid version "
<< version;
return false;
} else if (version == ParsedQuicVersion::V2Draft01()) {
*key = absl::string_view(
reinterpret_cast<const char*>(kV2Draft01RetryIntegrityKey),
ABSL_ARRAYSIZE(kV2Draft01RetryIntegrityKey));
*nonce = absl::string_view(
reinterpret_cast<const char*>(kV2Draft01RetryIntegrityNonce),
ABSL_ARRAYSIZE(kV2Draft01RetryIntegrityNonce));
return true;
} else if (version == ParsedQuicVersion::RFCv1()) {
*key = absl::string_view(
reinterpret_cast<const char*>(kRFCv1RetryIntegrityKey),
ABSL_ARRAYSIZE(kRFCv1RetryIntegrityKey));
*nonce = absl::string_view(
reinterpret_cast<const char*>(kRFCv1RetryIntegrityNonce),
ABSL_ARRAYSIZE(kRFCv1RetryIntegrityNonce));
return true;
} else if (version == ParsedQuicVersion::Draft29()) {
*key = absl::string_view(
reinterpret_cast<const char*>(kDraft29RetryIntegrityKey),
ABSL_ARRAYSIZE(kDraft29RetryIntegrityKey));
*nonce = absl::string_view(
reinterpret_cast<const char*>(kDraft29RetryIntegrityNonce),
ABSL_ARRAYSIZE(kDraft29RetryIntegrityNonce));
return true;
} else if (version == ParsedQuicVersion::ReservedForNegotiation()) {
*key = absl::string_view(
reinterpret_cast<const char*>(kReservedForNegotiationRetryIntegrityKey),
ABSL_ARRAYSIZE(kReservedForNegotiationRetryIntegrityKey));
*nonce = absl::string_view(
reinterpret_cast<const char*>(
kReservedForNegotiationRetryIntegrityNonce),
ABSL_ARRAYSIZE(kReservedForNegotiationRetryIntegrityNonce));
return true;
}
QUIC_BUG(quic_bug_10699_3)
<< "Attempted to get retry integrity keys for version " << version;
return false;
}
} // namespace
// static
void CryptoUtils::CreateInitialObfuscators(Perspective perspective,
ParsedQuicVersion version,
QuicConnectionId connection_id,
CrypterPair* crypters) {
QUIC_DLOG(INFO) << "Creating "
<< (perspective == Perspective::IS_CLIENT ? "client"
: "server")
<< " crypters for version " << version << " with CID "
<< connection_id;
if (!version.UsesInitialObfuscators()) {
crypters->encrypter = std::make_unique<NullEncrypter>(perspective);
crypters->decrypter = std::make_unique<NullDecrypter>(perspective);
return;
}
QUIC_BUG_IF(quic_bug_12871_1, !QuicUtils::IsConnectionIdValidForVersion(
connection_id, version.transport_version))
<< "CreateTlsInitialCrypters: attempted to use connection ID "
<< connection_id << " which is invalid with version " << version;
const EVP_MD* hash = EVP_sha256();
size_t salt_len;
const uint8_t* salt = InitialSaltForVersion(version, &salt_len);
std::vector<uint8_t> handshake_secret;
handshake_secret.resize(EVP_MAX_MD_SIZE);
size_t handshake_secret_len;
const bool hkdf_extract_success =
HKDF_extract(handshake_secret.data(), &handshake_secret_len, hash,
reinterpret_cast<const uint8_t*>(connection_id.data()),
connection_id.length(), salt, salt_len);
QUIC_BUG_IF(quic_bug_12871_2, !hkdf_extract_success)
<< "HKDF_extract failed when creating initial crypters";
handshake_secret.resize(handshake_secret_len);
const std::string client_label = "client in";
const std::string server_label = "server in";
std::string encryption_label, decryption_label;
if (perspective == Perspective::IS_CLIENT) {
encryption_label = client_label;
decryption_label = server_label;
} else {
encryption_label = server_label;
decryption_label = client_label;
}
std::vector<uint8_t> encryption_secret = HkdfExpandLabel(
hash, handshake_secret, encryption_label, EVP_MD_size(hash));
crypters->encrypter = std::make_unique<Aes128GcmEncrypter>();
InitializeCrypterSecrets(hash, encryption_secret, version,
crypters->encrypter.get());
std::vector<uint8_t> decryption_secret = HkdfExpandLabel(
hash, handshake_secret, decryption_label, EVP_MD_size(hash));
crypters->decrypter = std::make_unique<Aes128GcmDecrypter>();
InitializeCrypterSecrets(hash, decryption_secret, version,
crypters->decrypter.get());
}
// static
bool CryptoUtils::ValidateRetryIntegrityTag(
ParsedQuicVersion version, QuicConnectionId original_connection_id,
absl::string_view retry_without_tag, absl::string_view integrity_tag) {
unsigned char computed_integrity_tag[kRetryIntegrityTagLength];
if (integrity_tag.length() != ABSL_ARRAYSIZE(computed_integrity_tag)) {
QUIC_BUG(quic_bug_10699_4)
<< "Invalid retry integrity tag length " << integrity_tag.length();
return false;
}
char retry_pseudo_packet[kMaxIncomingPacketSize + 256];
QuicDataWriter writer(ABSL_ARRAYSIZE(retry_pseudo_packet),
retry_pseudo_packet);
if (!writer.WriteLengthPrefixedConnectionId(original_connection_id)) {
QUIC_BUG(quic_bug_10699_5)
<< "Failed to write original connection ID in retry pseudo packet";
return false;
}
if (!writer.WriteStringPiece(retry_without_tag)) {
QUIC_BUG(quic_bug_10699_6)
<< "Failed to write retry without tag in retry pseudo packet";
return false;
}
absl::string_view key;
absl::string_view nonce;
if (!RetryIntegrityKeysForVersion(version, &key, &nonce)) {
// RetryIntegrityKeysForVersion already logs failures.
return false;
}
Aes128GcmEncrypter crypter;
crypter.SetKey(key);
absl::string_view associated_data(writer.data(), writer.length());
absl::string_view plaintext; // Plaintext is empty.
if (!crypter.Encrypt(nonce, associated_data, plaintext,
computed_integrity_tag)) {
QUIC_BUG(quic_bug_10699_7) << "Failed to compute retry integrity tag";
return false;
}
if (CRYPTO_memcmp(computed_integrity_tag, integrity_tag.data(),
ABSL_ARRAYSIZE(computed_integrity_tag)) != 0) {
QUIC_DLOG(ERROR) << "Failed to validate retry integrity tag";
return false;
}
return true;
}
// static
void CryptoUtils::GenerateNonce(QuicWallTime now, QuicRandom* random_generator,
absl::string_view orbit, std::string* nonce) {
// a 4-byte timestamp + 28 random bytes.
nonce->reserve(kNonceSize);
nonce->resize(kNonceSize);
uint32_t gmt_unix_time = static_cast<uint32_t>(now.ToUNIXSeconds());
// The time in the nonce must be encoded in big-endian because the
// strike-register depends on the nonces being ordered by time.
(*nonce)[0] = static_cast<char>(gmt_unix_time >> 24);
(*nonce)[1] = static_cast<char>(gmt_unix_time >> 16);
(*nonce)[2] = static_cast<char>(gmt_unix_time >> 8);
(*nonce)[3] = static_cast<char>(gmt_unix_time);
size_t bytes_written = 4;
if (orbit.size() == 8) {
memcpy(&(*nonce)[bytes_written], orbit.data(), orbit.size());
bytes_written += orbit.size();
}
random_generator->RandBytes(&(*nonce)[bytes_written],
kNonceSize - bytes_written);
}
// static
bool CryptoUtils::DeriveKeys(
const ParsedQuicVersion& version, absl::string_view premaster_secret,
QuicTag aead, absl::string_view client_nonce,
absl::string_view server_nonce, absl::string_view pre_shared_key,
const std::string& hkdf_input, Perspective perspective,
Diversification diversification, CrypterPair* crypters,
std::string* subkey_secret) {
// If the connection is using PSK, concatenate it with the pre-master secret.
std::unique_ptr<char[]> psk_premaster_secret;
if (!pre_shared_key.empty()) {
const absl::string_view label(kPreSharedKeyLabel);
const size_t psk_premaster_secret_size = label.size() + 1 +
pre_shared_key.size() + 8 +
premaster_secret.size() + 8;
psk_premaster_secret = std::make_unique<char[]>(psk_premaster_secret_size);
QuicDataWriter writer(psk_premaster_secret_size, psk_premaster_secret.get(),
quiche::HOST_BYTE_ORDER);
if (!writer.WriteStringPiece(label) || !writer.WriteUInt8(0) ||
!writer.WriteStringPiece(pre_shared_key) ||
!writer.WriteUInt64(pre_shared_key.size()) ||
!writer.WriteStringPiece(premaster_secret) ||
!writer.WriteUInt64(premaster_secret.size()) ||
writer.remaining() != 0) {
return false;
}
premaster_secret = absl::string_view(psk_premaster_secret.get(),
psk_premaster_secret_size);
}
crypters->encrypter = QuicEncrypter::Create(version, aead);
crypters->decrypter = QuicDecrypter::Create(version, aead);
size_t key_bytes = crypters->encrypter->GetKeySize();
size_t nonce_prefix_bytes = crypters->encrypter->GetNoncePrefixSize();
if (version.UsesInitialObfuscators()) {
nonce_prefix_bytes = crypters->encrypter->GetIVSize();
}
size_t subkey_secret_bytes =
subkey_secret == nullptr ? 0 : premaster_secret.length();
absl::string_view nonce = client_nonce;
std::string nonce_storage;
if (!server_nonce.empty()) {
nonce_storage = std::string(client_nonce) + std::string(server_nonce);
nonce = nonce_storage;
}
QuicHKDF hkdf(premaster_secret, nonce, hkdf_input, key_bytes,
nonce_prefix_bytes, subkey_secret_bytes);
// Key derivation depends on the key diversification method being employed.
// both the client and the server support never doing key diversification.
// The server also supports immediate diversification, and the client
// supports pending diversification.
switch (diversification.mode()) {
case Diversification::NEVER: {
if (perspective == Perspective::IS_SERVER) {
if (!crypters->encrypter->SetKey(hkdf.server_write_key()) ||
!crypters->encrypter->SetNoncePrefixOrIV(version,
hkdf.server_write_iv()) ||
!crypters->encrypter->SetHeaderProtectionKey(
hkdf.server_hp_key()) ||
!crypters->decrypter->SetKey(hkdf.client_write_key()) ||
!crypters->decrypter->SetNoncePrefixOrIV(version,
hkdf.client_write_iv()) ||
!crypters->decrypter->SetHeaderProtectionKey(
hkdf.client_hp_key())) {
return false;
}
} else {
if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
!crypters->encrypter->SetNoncePrefixOrIV(version,
hkdf.client_write_iv()) ||
!crypters->encrypter->SetHeaderProtectionKey(
hkdf.client_hp_key()) ||
!crypters->decrypter->SetKey(hkdf.server_write_key()) ||
!crypters->decrypter->SetNoncePrefixOrIV(version,
hkdf.server_write_iv()) ||
!crypters->decrypter->SetHeaderProtectionKey(
hkdf.server_hp_key())) {
return false;
}
}
break;
}
case Diversification::PENDING: {
if (perspective == Perspective::IS_SERVER) {
QUIC_BUG(quic_bug_10699_8)
<< "Pending diversification is only for clients.";
return false;
}
if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
!crypters->encrypter->SetNoncePrefixOrIV(version,
hkdf.client_write_iv()) ||
!crypters->encrypter->SetHeaderProtectionKey(hkdf.client_hp_key()) ||
!crypters->decrypter->SetPreliminaryKey(hkdf.server_write_key()) ||
!crypters->decrypter->SetNoncePrefixOrIV(version,
hkdf.server_write_iv()) ||
!crypters->decrypter->SetHeaderProtectionKey(hkdf.server_hp_key())) {
return false;
}
break;
}
case Diversification::NOW: {
if (perspective == Perspective::IS_CLIENT) {
QUIC_BUG(quic_bug_10699_9)
<< "Immediate diversification is only for servers.";
return false;
}
std::string key, nonce_prefix;
QuicDecrypter::DiversifyPreliminaryKey(
hkdf.server_write_key(), hkdf.server_write_iv(),
*diversification.nonce(), key_bytes, nonce_prefix_bytes, &key,
&nonce_prefix);
if (!crypters->decrypter->SetKey(hkdf.client_write_key()) ||
!crypters->decrypter->SetNoncePrefixOrIV(version,
hkdf.client_write_iv()) ||
!crypters->decrypter->SetHeaderProtectionKey(hkdf.client_hp_key()) ||
!crypters->encrypter->SetKey(key) ||
!crypters->encrypter->SetNoncePrefixOrIV(version, nonce_prefix) ||
!crypters->encrypter->SetHeaderProtectionKey(hkdf.server_hp_key())) {
return false;
}
break;
}
default:
QUICHE_DCHECK(false);
}
if (subkey_secret != nullptr) {
*subkey_secret = std::string(hkdf.subkey_secret());
}
return true;
}
// static
uint64_t CryptoUtils::ComputeLeafCertHash(absl::string_view cert) {
return QuicUtils::FNV1a_64_Hash(cert);
}
QuicErrorCode CryptoUtils::ValidateServerHello(
const CryptoHandshakeMessage& server_hello,
const ParsedQuicVersionVector& negotiated_versions,
std::string* error_details) {
QUICHE_DCHECK(error_details != nullptr);
if (server_hello.tag() != kSHLO) {
*error_details = "Bad tag";
return QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
}
QuicVersionLabelVector supported_version_labels;
if (server_hello.GetVersionLabelList(kVER, &supported_version_labels) !=
QUIC_NO_ERROR) {
*error_details = "server hello missing version list";
return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
}
return ValidateServerHelloVersions(supported_version_labels,
negotiated_versions, error_details);
}
QuicErrorCode CryptoUtils::ValidateServerHelloVersions(
const QuicVersionLabelVector& server_versions,
const ParsedQuicVersionVector& negotiated_versions,
std::string* error_details) {
if (!negotiated_versions.empty()) {
bool mismatch = server_versions.size() != negotiated_versions.size();
for (size_t i = 0; i < server_versions.size() && !mismatch; ++i) {
mismatch =
server_versions[i] != CreateQuicVersionLabel(negotiated_versions[i]);
}
// The server sent a list of supported versions, and the connection
// reports that there was a version negotiation during the handshake.
// Ensure that these two lists are identical.
if (mismatch) {
*error_details = absl::StrCat(
"Downgrade attack detected: ServerVersions(", server_versions.size(),
")[", QuicVersionLabelVectorToString(server_versions, ",", 30),
"] NegotiatedVersions(", negotiated_versions.size(), ")[",
ParsedQuicVersionVectorToString(negotiated_versions, ",", 30), "]");
return QUIC_VERSION_NEGOTIATION_MISMATCH;
}
}
return QUIC_NO_ERROR;
}
QuicErrorCode CryptoUtils::ValidateClientHello(
const CryptoHandshakeMessage& client_hello, ParsedQuicVersion version,
const ParsedQuicVersionVector& supported_versions,
std::string* error_details) {
if (client_hello.tag() != kCHLO) {
*error_details = "Bad tag";
return QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
}
// If the client's preferred version is not the version we are currently
// speaking, then the client went through a version negotiation. In this
// case, we need to make sure that we actually do not support this version
// and that it wasn't a downgrade attack.
QuicVersionLabel client_version_label;
if (client_hello.GetVersionLabel(kVER, &client_version_label) !=
QUIC_NO_ERROR) {
*error_details = "client hello missing version list";
return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
}
return ValidateClientHelloVersion(client_version_label, version,
supported_versions, error_details);
}
QuicErrorCode CryptoUtils::ValidateClientHelloVersion(
QuicVersionLabel client_version, ParsedQuicVersion connection_version,
const ParsedQuicVersionVector& supported_versions,
std::string* error_details) {
if (client_version != CreateQuicVersionLabel(connection_version)) {
// Check to see if |client_version| is actually on the supported versions
// list. If not, the server doesn't support that version and it's not a
// downgrade attack.
for (size_t i = 0; i < supported_versions.size(); ++i) {
if (client_version == CreateQuicVersionLabel(supported_versions[i])) {
*error_details = absl::StrCat(
"Downgrade attack detected: ClientVersion[",
QuicVersionLabelToString(client_version), "] ConnectionVersion[",
ParsedQuicVersionToString(connection_version),
"] SupportedVersions(", supported_versions.size(), ")[",
ParsedQuicVersionVectorToString(supported_versions, ",", 30), "]");
return QUIC_VERSION_NEGOTIATION_MISMATCH;
}
}
}
return QUIC_NO_ERROR;
}
// static
bool CryptoUtils::ValidateChosenVersion(
const QuicVersionLabel& version_information_chosen_version,
const ParsedQuicVersion& session_version, std::string* error_details) {
if (version_information_chosen_version !=
CreateQuicVersionLabel(session_version)) {
*error_details = absl::StrCat(
"Detected version mismatch: version_information contained ",
QuicVersionLabelToString(version_information_chosen_version),
" instead of ", ParsedQuicVersionToString(session_version));
return false;
}
return true;
}
// static
bool CryptoUtils::ValidateServerVersions(
const QuicVersionLabelVector& version_information_other_versions,
const ParsedQuicVersion& session_version,
const ParsedQuicVersionVector& client_original_supported_versions,
std::string* error_details) {
if (client_original_supported_versions.empty()) {
// We did not receive a version negotiation packet.
return true;
}
// Parse the server's other versions.
ParsedQuicVersionVector parsed_other_versions =
ParseQuicVersionLabelVector(version_information_other_versions);
// Find the first version that we originally supported that is listed in the
// server's other versions.
ParsedQuicVersion expected_version = ParsedQuicVersion::Unsupported();
for (const ParsedQuicVersion& client_version :
client_original_supported_versions) {
if (std::find(parsed_other_versions.begin(), parsed_other_versions.end(),
client_version) != parsed_other_versions.end()) {
expected_version = client_version;
break;
}
}
if (expected_version != session_version) {
*error_details = absl::StrCat(
"Downgrade attack detected: used ",
ParsedQuicVersionToString(session_version), " but ServerVersions(",
version_information_other_versions.size(), ")[",
QuicVersionLabelVectorToString(version_information_other_versions, ",",
30),
"] ClientOriginalVersions(", client_original_supported_versions.size(),
")[",
ParsedQuicVersionVectorToString(client_original_supported_versions, ",",
30),
"]");
return false;
}
return true;
}
#define RETURN_STRING_LITERAL(x) \
case x: \
return #x
// Returns the name of the HandshakeFailureReason as a char*
// static
const char* CryptoUtils::HandshakeFailureReasonToString(
HandshakeFailureReason reason) {
switch (reason) {
RETURN_STRING_LITERAL(HANDSHAKE_OK);
RETURN_STRING_LITERAL(CLIENT_NONCE_UNKNOWN_FAILURE);
RETURN_STRING_LITERAL(CLIENT_NONCE_INVALID_FAILURE);
RETURN_STRING_LITERAL(CLIENT_NONCE_NOT_UNIQUE_FAILURE);
RETURN_STRING_LITERAL(CLIENT_NONCE_INVALID_ORBIT_FAILURE);
RETURN_STRING_LITERAL(CLIENT_NONCE_INVALID_TIME_FAILURE);
RETURN_STRING_LITERAL(CLIENT_NONCE_STRIKE_REGISTER_TIMEOUT);
RETURN_STRING_LITERAL(CLIENT_NONCE_STRIKE_REGISTER_FAILURE);
RETURN_STRING_LITERAL(SERVER_NONCE_DECRYPTION_FAILURE);
RETURN_STRING_LITERAL(SERVER_NONCE_INVALID_FAILURE);
RETURN_STRING_LITERAL(SERVER_NONCE_NOT_UNIQUE_FAILURE);
RETURN_STRING_LITERAL(SERVER_NONCE_INVALID_TIME_FAILURE);
RETURN_STRING_LITERAL(SERVER_NONCE_REQUIRED_FAILURE);
RETURN_STRING_LITERAL(SERVER_CONFIG_INCHOATE_HELLO_FAILURE);
RETURN_STRING_LITERAL(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_INVALID_FAILURE);
RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE);
RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_PARSE_FAILURE);
RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE);
RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE);
RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE);
RETURN_STRING_LITERAL(INVALID_EXPECTED_LEAF_CERTIFICATE);
RETURN_STRING_LITERAL(MAX_FAILURE_REASON);
}
// Return a default value so that we return this when |reason| doesn't match
// any HandshakeFailureReason.. This can happen when the message by the peer
// (attacker) has invalid reason.
return "INVALID_HANDSHAKE_FAILURE_REASON";
}
#undef RETURN_STRING_LITERAL // undef for jumbo builds
// static
std::string CryptoUtils::EarlyDataReasonToString(
ssl_early_data_reason_t reason) {
const char* reason_string = SSL_early_data_reason_string(reason);
if (reason_string != nullptr) {
return std::string("ssl_early_data_") + reason_string;
}
QUIC_BUG_IF(quic_bug_12871_3,
reason < 0 || reason > ssl_early_data_reason_max_value)
<< "Unknown ssl_early_data_reason_t " << reason;
return "unknown ssl_early_data_reason_t";
}
// static
std::string CryptoUtils::HashHandshakeMessage(
const CryptoHandshakeMessage& message, Perspective /*perspective*/) {
std::string output;
const QuicData& serialized = message.GetSerialized();
uint8_t digest[SHA256_DIGEST_LENGTH];
SHA256(reinterpret_cast<const uint8_t*>(serialized.data()),
serialized.length(), digest);
output.assign(reinterpret_cast<const char*>(digest), sizeof(digest));
return output;
}
// static
bool CryptoUtils::GetSSLCapabilities(const SSL* ssl,
bssl::UniquePtr<uint8_t>* capabilities,
size_t* capabilities_len) {
uint8_t* buffer;
bssl::ScopedCBB cbb;
if (!CBB_init(cbb.get(), 128) ||
!SSL_serialize_capabilities(ssl, cbb.get()) ||
!CBB_finish(cbb.get(), &buffer, capabilities_len)) {
return false;
}
*capabilities = bssl::UniquePtr<uint8_t>(buffer);
return true;
}
// static
absl::optional<std::string> CryptoUtils::GenerateProofPayloadToBeSigned(
absl::string_view chlo_hash, absl::string_view server_config) {
size_t payload_size = sizeof(kProofSignatureLabel) + sizeof(uint32_t) +
chlo_hash.size() + server_config.size();
std::string payload;
payload.resize(payload_size);
QuicDataWriter payload_writer(payload_size, payload.data(),
quiche::Endianness::HOST_BYTE_ORDER);
bool success = payload_writer.WriteBytes(kProofSignatureLabel,
sizeof(kProofSignatureLabel)) &&
payload_writer.WriteUInt32(chlo_hash.size()) &&
payload_writer.WriteStringPiece(chlo_hash) &&
payload_writer.WriteStringPiece(server_config);
if (!success) {
return absl::nullopt;
}
return payload;
}
} // namespace quic