blob: 3496be942856aad0a1aa9ef2b04aad6609b67f1d [file] [log] [blame] [edit]
#include "quiche/oblivious_http/buffers/oblivious_http_response.h"
#include <stddef.h>
#include <stdint.h>
#include <algorithm>
#include <memory>
#include <string>
#include <utility>
#include "absl/status/status.h"
#include "absl/status/statusor.h"
#include "absl/strings/str_cat.h"
#include "absl/strings/string_view.h"
#include "openssl/aead.h"
#include "openssl/hkdf.h"
#include "openssl/hpke.h"
#include "quiche/common/platform/api/quiche_bug_tracker.h"
#include "quiche/common/quiche_crypto_logging.h"
#include "quiche/common/quiche_random.h"
#include "quiche/oblivious_http/common/oblivious_http_header_key_config.h"
namespace quiche {
namespace {
// Generate a random string.
void random(QuicheRandom* quiche_random, char* dest, size_t len) {
if (quiche_random == nullptr) {
quiche_random = QuicheRandom::GetInstance();
}
quiche_random->RandBytes(dest, len);
}
} // namespace
// Ctor.
ObliviousHttpResponse::ObliviousHttpResponse(std::string encrypted_data,
std::string resp_plaintext)
: encrypted_data_(std::move(encrypted_data)),
response_plaintext_(std::move(resp_plaintext)) {}
// Response Decapsulation.
// 1. Extract resp_nonce
// 2. Build prk (pseudorandom key) using HKDF_Extract
// 3. Derive aead_key using HKDF_Labeled_Expand
// 4. Derive aead_nonce using HKDF_Labeled_Expand
// 5. Setup AEAD context and Decrypt.
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-4
absl::StatusOr<ObliviousHttpResponse>
ObliviousHttpResponse::CreateClientObliviousResponse(
std::string encrypted_data,
ObliviousHttpRequest::Context& oblivious_http_request_context,
absl::string_view resp_label) {
if (oblivious_http_request_context.hpke_context_ == nullptr) {
return absl::FailedPreconditionError(
"HPKE context wasn't initialized before proceeding with this Response "
"Decapsulation on Client-side.");
}
size_t expected_key_len = EVP_HPKE_KEM_enc_len(
EVP_HPKE_CTX_kem(oblivious_http_request_context.hpke_context_.get()));
if (oblivious_http_request_context.encapsulated_key_.size() !=
expected_key_len) {
return absl::InvalidArgumentError(absl::StrCat(
"Invalid len for encapsulated_key arg. Expected:", expected_key_len,
" Actual:", oblivious_http_request_context.encapsulated_key_.size()));
}
if (encrypted_data.empty()) {
return absl::InvalidArgumentError("Empty encrypted_data input param.");
}
absl::StatusOr<CommonAeadParamsResult> aead_params_st =
GetCommonAeadParams(oblivious_http_request_context);
if (!aead_params_st.ok()) {
return aead_params_st.status();
}
// secret_len = [max(Nn, Nk)] where Nk and Nn are the length of AEAD
// key and nonce associated with HPKE context.
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.1
size_t secret_len = aead_params_st.value().secret_len;
if (encrypted_data.size() < secret_len) {
return absl::InvalidArgumentError(
absl::StrCat("Invalid input response. Failed to parse required minimum "
"expected_len=",
secret_len, " bytes."));
}
// Extract response_nonce. Step 2
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.2
absl::string_view response_nonce =
absl::string_view(encrypted_data).substr(0, secret_len);
absl::string_view encrypted_response =
absl::string_view(encrypted_data).substr(secret_len);
// Steps (1, 3 to 5) + AEAD context SetUp before 6th step is performed in
// CommonOperations.
auto common_ops_st = CommonOperationsToEncapDecap(
response_nonce, oblivious_http_request_context, resp_label,
aead_params_st.value().aead_key_len,
aead_params_st.value().aead_nonce_len, aead_params_st.value().secret_len);
if (!common_ops_st.ok()) {
return common_ops_st.status();
}
std::string decrypted(encrypted_response.size(), '\0');
size_t decrypted_len;
// Decrypt with initialized AEAD context.
// response, error = Open(aead_key, aead_nonce, "", ct)
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-6
if (!EVP_AEAD_CTX_open(
common_ops_st.value().aead_ctx.get(),
reinterpret_cast<uint8_t*>(decrypted.data()), &decrypted_len,
decrypted.size(),
reinterpret_cast<const uint8_t*>(
common_ops_st.value().aead_nonce.data()),
aead_params_st.value().aead_nonce_len,
reinterpret_cast<const uint8_t*>(encrypted_response.data()),
encrypted_response.size(), nullptr, 0)) {
return SslErrorAsStatus(
"Failed to decrypt the response with derived AEAD key and nonce.");
}
decrypted.resize(decrypted_len);
ObliviousHttpResponse oblivious_response(std::move(encrypted_data),
std::move(decrypted));
return oblivious_response;
}
// Response Encapsulation.
// Follows the Ohttp spec section-4.2 (Encapsulation of Responses) Ref
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2
// Use HPKE context from BoringSSL to export a secret and use it to Seal (AKA
// encrypt) the response back to the Sender(client)
absl::StatusOr<ObliviousHttpResponse>
ObliviousHttpResponse::CreateServerObliviousResponse(
std::string plaintext_payload,
ObliviousHttpRequest::Context& oblivious_http_request_context,
absl::string_view response_label, QuicheRandom* quiche_random) {
if (oblivious_http_request_context.hpke_context_ == nullptr) {
return absl::FailedPreconditionError(
"HPKE context wasn't initialized before proceeding with this Response "
"Encapsulation on Server-side.");
}
size_t expected_key_len = EVP_HPKE_KEM_enc_len(
EVP_HPKE_CTX_kem(oblivious_http_request_context.hpke_context_.get()));
if (oblivious_http_request_context.encapsulated_key_.size() !=
expected_key_len) {
return absl::InvalidArgumentError(absl::StrCat(
"Invalid len for encapsulated_key arg. Expected:", expected_key_len,
" Actual:", oblivious_http_request_context.encapsulated_key_.size()));
}
if (plaintext_payload.empty()) {
return absl::InvalidArgumentError("Empty plaintext_payload input param.");
}
absl::StatusOr<CommonAeadParamsResult> aead_params_st =
GetCommonAeadParams(oblivious_http_request_context);
if (!aead_params_st.ok()) {
return aead_params_st.status();
}
const size_t nonce_size = aead_params_st->secret_len;
const size_t max_encrypted_data_size =
nonce_size + plaintext_payload.size() +
EVP_AEAD_max_overhead(EVP_HPKE_AEAD_aead(EVP_HPKE_CTX_aead(
oblivious_http_request_context.hpke_context_.get())));
std::string encrypted_data(max_encrypted_data_size, '\0');
// response_nonce = random(max(Nn, Nk))
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.2
random(quiche_random, encrypted_data.data(), nonce_size);
absl::string_view response_nonce =
absl::string_view(encrypted_data).substr(0, nonce_size);
// Steps (1, 3 to 5) + AEAD context SetUp before 6th step is performed in
// CommonOperations.
auto common_ops_st = CommonOperationsToEncapDecap(
response_nonce, oblivious_http_request_context, response_label,
aead_params_st.value().aead_key_len,
aead_params_st.value().aead_nonce_len, aead_params_st.value().secret_len);
if (!common_ops_st.ok()) {
return common_ops_st.status();
}
// ct = Seal(aead_key, aead_nonce, "", response)
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.6
size_t ciphertext_len;
if (!EVP_AEAD_CTX_seal(
common_ops_st.value().aead_ctx.get(),
reinterpret_cast<uint8_t*>(encrypted_data.data() + nonce_size),
&ciphertext_len, encrypted_data.size() - nonce_size,
reinterpret_cast<const uint8_t*>(
common_ops_st.value().aead_nonce.data()),
aead_params_st.value().aead_nonce_len,
reinterpret_cast<const uint8_t*>(plaintext_payload.data()),
plaintext_payload.size(), nullptr, 0)) {
return SslErrorAsStatus(
"Failed to encrypt the payload with derived AEAD key.");
}
encrypted_data.resize(nonce_size + ciphertext_len);
if (nonce_size == 0 || ciphertext_len == 0) {
return absl::InternalError(absl::StrCat(
"ObliviousHttpResponse Object wasn't initialized with required fields.",
(nonce_size == 0 ? "Generated nonce is empty." : ""),
(ciphertext_len == 0 ? "Generated Encrypted payload is empty." : "")));
}
ObliviousHttpResponse oblivious_response(std::move(encrypted_data),
std::move(plaintext_payload));
return oblivious_response;
}
// Serialize.
// enc_response = concat(response_nonce, ct)
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-4
const std::string& ObliviousHttpResponse::EncapsulateAndSerialize() const {
return encrypted_data_;
}
// Decrypted blob.
const std::string& ObliviousHttpResponse::GetPlaintextData() const {
return response_plaintext_;
}
// This section mainly deals with common operations performed by both
// Sender(client) and Receiver(gateway) on ObliviousHttpResponse.
absl::StatusOr<ObliviousHttpResponse::CommonAeadParamsResult>
ObliviousHttpResponse::GetCommonAeadParams(
ObliviousHttpRequest::Context& oblivious_http_request_context) {
const EVP_AEAD* evp_hpke_aead = EVP_HPKE_AEAD_aead(
EVP_HPKE_CTX_aead(oblivious_http_request_context.hpke_context_.get()));
if (evp_hpke_aead == nullptr) {
return absl::FailedPreconditionError(
"Key Configuration not supported by HPKE AEADs. Check your key "
"config.");
}
// Nk = [AEAD key len], is determined by BoringSSL.
const size_t aead_key_len = EVP_AEAD_key_length(evp_hpke_aead);
// Nn = [AEAD nonce len], is determined by BoringSSL.
const size_t aead_nonce_len = EVP_AEAD_nonce_length(evp_hpke_aead);
const size_t secret_len = std::max(aead_key_len, aead_nonce_len);
CommonAeadParamsResult result{evp_hpke_aead, aead_key_len, aead_nonce_len,
secret_len};
return result;
}
// Common Steps of AEAD key and AEAD nonce derivation common to both
// client(decapsulation) & Gateway(encapsulation) in handling
// Oblivious-Response. Ref Steps (1, 3-to-5, and setting up AEAD context in
// preparation for 6th step's Seal/Open) in spec.
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-4
absl::StatusOr<ObliviousHttpResponse::CommonOperationsResult>
ObliviousHttpResponse::CommonOperationsToEncapDecap(
absl::string_view response_nonce,
ObliviousHttpRequest::Context& oblivious_http_request_context,
absl::string_view resp_label, const size_t aead_key_len,
const size_t aead_nonce_len, const size_t secret_len) {
if (response_nonce.empty()) {
return absl::InvalidArgumentError("Invalid input params.");
}
// secret = context.Export("message/bhttp response", Nk)
// Export secret of len [max(Nn, Nk)] where Nk and Nn are the length of AEAD
// key and nonce associated with context.
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.1
std::string secret(secret_len, '\0');
if (!EVP_HPKE_CTX_export(oblivious_http_request_context.hpke_context_.get(),
reinterpret_cast<uint8_t*>(secret.data()),
secret.size(),
reinterpret_cast<const uint8_t*>(resp_label.data()),
resp_label.size())) {
return SslErrorAsStatus("Failed to export secret.");
}
// salt = concat(enc, response_nonce)
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.3
std::string salt = absl::StrCat(
oblivious_http_request_context.encapsulated_key_, response_nonce);
// prk = Extract(salt, secret)
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.3
std::string pseudorandom_key(EVP_MAX_MD_SIZE, '\0');
size_t prk_len;
auto evp_md = EVP_HPKE_KDF_hkdf_md(
EVP_HPKE_CTX_kdf(oblivious_http_request_context.hpke_context_.get()));
if (evp_md == nullptr) {
QUICHE_BUG(Invalid Key Configuration
: Unsupported BoringSSL HPKE KDFs)
<< "Update KeyConfig to support only BoringSSL HKDFs.";
return absl::FailedPreconditionError(
"Key Configuration not supported by BoringSSL HPKE KDFs. Check your "
"Key "
"Config.");
}
if (!HKDF_extract(
reinterpret_cast<uint8_t*>(pseudorandom_key.data()), &prk_len, evp_md,
reinterpret_cast<const uint8_t*>(secret.data()), secret_len,
reinterpret_cast<const uint8_t*>(salt.data()), salt.size())) {
return SslErrorAsStatus(
"Failed to derive pesudorandom key from salt and secret.");
}
pseudorandom_key.resize(prk_len);
// aead_key = Expand(prk, "key", Nk)
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.4
std::string aead_key(aead_key_len, '\0');
absl::string_view hkdf_info = ObliviousHttpHeaderKeyConfig::kKeyHkdfInfo;
// All currently supported KDFs are HKDF-based. See CheckKdfId in
// `ObliviousHttpHeaderKeyConfig`.
if (!HKDF_expand(reinterpret_cast<uint8_t*>(aead_key.data()), aead_key_len,
evp_md,
reinterpret_cast<const uint8_t*>(pseudorandom_key.data()),
prk_len, reinterpret_cast<const uint8_t*>(hkdf_info.data()),
hkdf_info.size())) {
return SslErrorAsStatus(
"Failed to expand AEAD key using pseudorandom key(prk).");
}
// aead_nonce = Expand(prk, "nonce", Nn)
// https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-03.html#section-4.2-2.5
std::string aead_nonce(aead_nonce_len, '\0');
hkdf_info = ObliviousHttpHeaderKeyConfig::kNonceHkdfInfo;
// All currently supported KDFs are HKDF-based. See CheckKdfId in
// `ObliviousHttpHeaderKeyConfig`.
if (!HKDF_expand(reinterpret_cast<uint8_t*>(aead_nonce.data()),
aead_nonce_len, evp_md,
reinterpret_cast<const uint8_t*>(pseudorandom_key.data()),
prk_len, reinterpret_cast<const uint8_t*>(hkdf_info.data()),
hkdf_info.size())) {
return SslErrorAsStatus(
"Failed to expand AEAD nonce using pseudorandom key(prk).");
}
const EVP_AEAD* evp_hpke_aead = EVP_HPKE_AEAD_aead(
EVP_HPKE_CTX_aead(oblivious_http_request_context.hpke_context_.get()));
if (evp_hpke_aead == nullptr) {
return absl::FailedPreconditionError(
"Key Configuration not supported by HPKE AEADs. Check your key "
"config.");
}
// Setup AEAD context for subsequent Seal/Open operation in response handling.
bssl::UniquePtr<EVP_AEAD_CTX> aead_ctx(EVP_AEAD_CTX_new(
evp_hpke_aead, reinterpret_cast<const uint8_t*>(aead_key.data()),
aead_key.size(), 0));
if (aead_ctx == nullptr) {
return SslErrorAsStatus("Failed to initialize AEAD context.");
}
if (!EVP_AEAD_CTX_init(aead_ctx.get(), evp_hpke_aead,
reinterpret_cast<const uint8_t*>(aead_key.data()),
aead_key.size(), 0, nullptr)) {
return SslErrorAsStatus(
"Failed to initialize AEAD context with derived key.");
}
CommonOperationsResult result{std::move(aead_ctx), std::move(aead_nonce)};
return result;
}
} // namespace quiche