Project import generated by Copybara.
PiperOrigin-RevId: 237361882
Change-Id: I109a68f44db867b20f8c6a7732b0ce657133e52a
diff --git a/quic/core/crypto/crypto_utils.cc b/quic/core/crypto/crypto_utils.cc
new file mode 100644
index 0000000..4f6a61d
--- /dev/null
+++ b/quic/core/crypto/crypto_utils.cc
@@ -0,0 +1,469 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/crypto/crypto_utils.h"
+
+#include <memory>
+
+#include "third_party/boringssl/src/include/openssl/bytestring.h"
+#include "third_party/boringssl/src/include/openssl/hkdf.h"
+#include "third_party/boringssl/src/include/openssl/sha.h"
+#include "net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter.h"
+#include "net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_encrypter.h"
+#include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h"
+#include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
+#include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string.h"
+
+namespace quic {
+
+// TODO(nharper): HkdfExpandLabel and SetKeyAndIV (below) implement what is
+// specified in draft-ietf-quic-tls-16. The latest editors' draft has changed
+// derivation again, and this will need to be updated to reflect those (and any
+// other future) changes.
+// static
+std::vector<uint8_t> CryptoUtils::HkdfExpandLabel(
+ const EVP_MD* prf,
+ const std::vector<uint8_t>& secret,
+ const QuicString& label,
+ size_t out_len) {
+ bssl::ScopedCBB quic_hkdf_label;
+ CBB inner_label;
+ const char label_prefix[] = "quic ";
+ // The minimum possible length for the QuicHkdfLabel is 9 bytes - 2 bytes for
+ // Length, plus 1 byte for the length of the inner label, plus the length of
+ // that label (which is at least 5), plus 1 byte at the end.
+ if (!CBB_init(quic_hkdf_label.get(), 9) ||
+ !CBB_add_u16(quic_hkdf_label.get(), out_len) ||
+ !CBB_add_u8_length_prefixed(quic_hkdf_label.get(), &inner_label) ||
+ !CBB_add_bytes(&inner_label,
+ reinterpret_cast<const uint8_t*>(label_prefix),
+ QUIC_ARRAYSIZE(label_prefix) - 1) ||
+ !CBB_add_bytes(&inner_label,
+ reinterpret_cast<const uint8_t*>(label.data()),
+ label.size()) ||
+ !CBB_add_u8(quic_hkdf_label.get(), 0) ||
+ !CBB_flush(quic_hkdf_label.get())) {
+ QUIC_LOG(ERROR) << "Building HKDF label failed";
+ return std::vector<uint8_t>();
+ }
+ std::vector<uint8_t> out;
+ out.resize(out_len);
+ if (!HKDF_expand(out.data(), out_len, prf, secret.data(), secret.size(),
+ CBB_data(quic_hkdf_label.get()),
+ CBB_len(quic_hkdf_label.get()))) {
+ QUIC_LOG(ERROR) << "Running HKDF-Expand-Label failed";
+ return std::vector<uint8_t>();
+ }
+ return out;
+}
+
+void CryptoUtils::SetKeyAndIV(const EVP_MD* prf,
+ const std::vector<uint8_t>& pp_secret,
+ QuicCrypter* crypter) {
+ std::vector<uint8_t> key = CryptoUtils::HkdfExpandLabel(
+ prf, pp_secret, "key", crypter->GetKeySize());
+ std::vector<uint8_t> iv =
+ CryptoUtils::HkdfExpandLabel(prf, pp_secret, "iv", crypter->GetIVSize());
+ crypter->SetKey(
+ QuicStringPiece(reinterpret_cast<char*>(key.data()), key.size()));
+ crypter->SetIV(
+ QuicStringPiece(reinterpret_cast<char*>(iv.data()), iv.size()));
+}
+
+namespace {
+
+const uint8_t kInitialSalt[] = {0x9c, 0x10, 0x8f, 0x98, 0x52, 0x0a, 0x5c,
+ 0x5c, 0x32, 0x96, 0x8e, 0x95, 0x0e, 0x8a,
+ 0x2c, 0x5f, 0xe0, 0x6d, 0x6c, 0x38};
+
+const char kPreSharedKeyLabel[] = "QUIC PSK";
+
+} // namespace
+
+// static
+void CryptoUtils::CreateTlsInitialCrypters(Perspective perspective,
+ QuicTransportVersion version,
+ QuicConnectionId connection_id,
+ CrypterPair* crypters) {
+ QUIC_BUG_IF(!QuicUtils::IsConnectionIdValidForVersion(connection_id, version))
+ << "CreateTlsInitialCrypters: attempted to use connection ID "
+ << connection_id << " which is invalid with version "
+ << QuicVersionToString(version);
+ const EVP_MD* hash = EVP_sha256();
+
+ std::vector<uint8_t> handshake_secret;
+ handshake_secret.resize(EVP_MAX_MD_SIZE);
+ size_t handshake_secret_len;
+ const bool hkdf_extract_success = HKDF_extract(
+ handshake_secret.data(), &handshake_secret_len, hash,
+ reinterpret_cast<const uint8_t*>(connection_id.data()),
+ connection_id.length(), kInitialSalt, QUIC_ARRAYSIZE(kInitialSalt));
+ QUIC_BUG_IF(!hkdf_extract_success)
+ << "HKDF_extract failed when creating initial crypters";
+ handshake_secret.resize(handshake_secret_len);
+
+ const QuicString client_label = "client in";
+ const QuicString server_label = "server in";
+ QuicString encryption_label, decryption_label;
+ if (perspective == Perspective::IS_CLIENT) {
+ encryption_label = client_label;
+ decryption_label = server_label;
+ } else {
+ encryption_label = server_label;
+ decryption_label = client_label;
+ }
+ crypters->encrypter = QuicMakeUnique<Aes128GcmEncrypter>();
+ std::vector<uint8_t> encryption_secret = HkdfExpandLabel(
+ hash, handshake_secret, encryption_label, EVP_MD_size(hash));
+ SetKeyAndIV(hash, encryption_secret, crypters->encrypter.get());
+
+ crypters->decrypter = QuicMakeUnique<Aes128GcmDecrypter>();
+ std::vector<uint8_t> decryption_secret = HkdfExpandLabel(
+ hash, handshake_secret, decryption_label, EVP_MD_size(hash));
+ SetKeyAndIV(hash, decryption_secret, crypters->decrypter.get());
+}
+
+// static
+void CryptoUtils::GenerateNonce(QuicWallTime now,
+ QuicRandom* random_generator,
+ QuicStringPiece orbit,
+ QuicString* nonce) {
+ // a 4-byte timestamp + 28 random bytes.
+ nonce->reserve(kNonceSize);
+ nonce->resize(kNonceSize);
+
+ uint32_t gmt_unix_time = static_cast<uint32_t>(now.ToUNIXSeconds());
+ // The time in the nonce must be encoded in big-endian because the
+ // strike-register depends on the nonces being ordered by time.
+ (*nonce)[0] = static_cast<char>(gmt_unix_time >> 24);
+ (*nonce)[1] = static_cast<char>(gmt_unix_time >> 16);
+ (*nonce)[2] = static_cast<char>(gmt_unix_time >> 8);
+ (*nonce)[3] = static_cast<char>(gmt_unix_time);
+ size_t bytes_written = 4;
+
+ if (orbit.size() == 8) {
+ memcpy(&(*nonce)[bytes_written], orbit.data(), orbit.size());
+ bytes_written += orbit.size();
+ }
+
+ random_generator->RandBytes(&(*nonce)[bytes_written],
+ kNonceSize - bytes_written);
+}
+
+// static
+bool CryptoUtils::DeriveKeys(QuicStringPiece premaster_secret,
+ QuicTag aead,
+ QuicStringPiece client_nonce,
+ QuicStringPiece server_nonce,
+ QuicStringPiece pre_shared_key,
+ const QuicString& hkdf_input,
+ Perspective perspective,
+ Diversification diversification,
+ CrypterPair* crypters,
+ QuicString* subkey_secret) {
+ // If the connection is using PSK, concatenate it with the pre-master secret.
+ std::unique_ptr<char[]> psk_premaster_secret;
+ if (!pre_shared_key.empty()) {
+ const QuicStringPiece label(kPreSharedKeyLabel);
+ const size_t psk_premaster_secret_size = label.size() + 1 +
+ pre_shared_key.size() + 8 +
+ premaster_secret.size() + 8;
+
+ psk_premaster_secret = QuicMakeUnique<char[]>(psk_premaster_secret_size);
+ QuicDataWriter writer(psk_premaster_secret_size, psk_premaster_secret.get(),
+ HOST_BYTE_ORDER);
+
+ if (!writer.WriteStringPiece(label) || !writer.WriteUInt8(0) ||
+ !writer.WriteStringPiece(pre_shared_key) ||
+ !writer.WriteUInt64(pre_shared_key.size()) ||
+ !writer.WriteStringPiece(premaster_secret) ||
+ !writer.WriteUInt64(premaster_secret.size()) ||
+ writer.remaining() != 0) {
+ return false;
+ }
+
+ premaster_secret =
+ QuicStringPiece(psk_premaster_secret.get(), psk_premaster_secret_size);
+ }
+
+ crypters->encrypter = QuicEncrypter::Create(aead);
+ crypters->decrypter = QuicDecrypter::Create(aead);
+ size_t key_bytes = crypters->encrypter->GetKeySize();
+ size_t nonce_prefix_bytes = crypters->encrypter->GetNoncePrefixSize();
+ size_t subkey_secret_bytes =
+ subkey_secret == nullptr ? 0 : premaster_secret.length();
+
+ QuicStringPiece nonce = client_nonce;
+ QuicString nonce_storage;
+ if (!server_nonce.empty()) {
+ nonce_storage = QuicString(client_nonce) + QuicString(server_nonce);
+ nonce = nonce_storage;
+ }
+
+ QuicHKDF hkdf(premaster_secret, nonce, hkdf_input, key_bytes,
+ nonce_prefix_bytes, subkey_secret_bytes);
+
+ // Key derivation depends on the key diversification method being employed.
+ // both the client and the server support never doing key diversification.
+ // The server also supports immediate diversification, and the client
+ // supports pending diversification.
+ switch (diversification.mode()) {
+ case Diversification::NEVER: {
+ if (perspective == Perspective::IS_SERVER) {
+ if (!crypters->encrypter->SetKey(hkdf.server_write_key()) ||
+ !crypters->encrypter->SetNoncePrefix(hkdf.server_write_iv()) ||
+ !crypters->decrypter->SetKey(hkdf.client_write_key()) ||
+ !crypters->decrypter->SetNoncePrefix(hkdf.client_write_iv())) {
+ return false;
+ }
+ } else {
+ if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
+ !crypters->encrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
+ !crypters->decrypter->SetKey(hkdf.server_write_key()) ||
+ !crypters->decrypter->SetNoncePrefix(hkdf.server_write_iv())) {
+ return false;
+ }
+ }
+ break;
+ }
+ case Diversification::PENDING: {
+ if (perspective == Perspective::IS_SERVER) {
+ QUIC_BUG << "Pending diversification is only for clients.";
+ return false;
+ }
+
+ if (!crypters->encrypter->SetKey(hkdf.client_write_key()) ||
+ !crypters->encrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
+ !crypters->decrypter->SetPreliminaryKey(hkdf.server_write_key()) ||
+ !crypters->decrypter->SetNoncePrefix(hkdf.server_write_iv())) {
+ return false;
+ }
+ break;
+ }
+ case Diversification::NOW: {
+ if (perspective == Perspective::IS_CLIENT) {
+ QUIC_BUG << "Immediate diversification is only for servers.";
+ return false;
+ }
+
+ QuicString key, nonce_prefix;
+ QuicDecrypter::DiversifyPreliminaryKey(
+ hkdf.server_write_key(), hkdf.server_write_iv(),
+ *diversification.nonce(), key_bytes, nonce_prefix_bytes, &key,
+ &nonce_prefix);
+ if (!crypters->decrypter->SetKey(hkdf.client_write_key()) ||
+ !crypters->decrypter->SetNoncePrefix(hkdf.client_write_iv()) ||
+ !crypters->encrypter->SetKey(key) ||
+ !crypters->encrypter->SetNoncePrefix(nonce_prefix)) {
+ return false;
+ }
+ break;
+ }
+ default:
+ DCHECK(false);
+ }
+
+ if (subkey_secret != nullptr) {
+ *subkey_secret = QuicString(hkdf.subkey_secret());
+ }
+
+ return true;
+}
+
+// static
+bool CryptoUtils::ExportKeyingMaterial(QuicStringPiece subkey_secret,
+ QuicStringPiece label,
+ QuicStringPiece context,
+ size_t result_len,
+ QuicString* result) {
+ for (size_t i = 0; i < label.length(); i++) {
+ if (label[i] == '\0') {
+ QUIC_LOG(ERROR) << "ExportKeyingMaterial label may not contain NULs";
+ return false;
+ }
+ }
+ // Create HKDF info input: null-terminated label + length-prefixed context
+ if (context.length() >= std::numeric_limits<uint32_t>::max()) {
+ QUIC_LOG(ERROR) << "Context value longer than 2^32";
+ return false;
+ }
+ uint32_t context_length = static_cast<uint32_t>(context.length());
+ QuicString info = QuicString(label);
+ info.push_back('\0');
+ info.append(reinterpret_cast<char*>(&context_length), sizeof(context_length));
+ info.append(context.data(), context.length());
+
+ QuicHKDF hkdf(subkey_secret, QuicStringPiece() /* no salt */, info,
+ result_len, 0 /* no fixed IV */, 0 /* no subkey secret */);
+ *result = QuicString(hkdf.client_write_key());
+ return true;
+}
+
+// static
+uint64_t CryptoUtils::ComputeLeafCertHash(QuicStringPiece cert) {
+ return QuicUtils::FNV1a_64_Hash(cert);
+}
+
+QuicErrorCode CryptoUtils::ValidateServerHello(
+ const CryptoHandshakeMessage& server_hello,
+ const ParsedQuicVersionVector& negotiated_versions,
+ QuicString* error_details) {
+ DCHECK(error_details != nullptr);
+
+ if (server_hello.tag() != kSHLO) {
+ *error_details = "Bad tag";
+ return QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
+ }
+
+ QuicVersionLabelVector supported_version_labels;
+ if (server_hello.GetVersionLabelList(kVER, &supported_version_labels) !=
+ QUIC_NO_ERROR) {
+ *error_details = "server hello missing version list";
+ return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
+ }
+
+ return ValidateServerHelloVersions(supported_version_labels,
+ negotiated_versions, error_details);
+}
+
+QuicErrorCode CryptoUtils::ValidateServerHelloVersions(
+ const QuicVersionLabelVector& server_versions,
+ const ParsedQuicVersionVector& negotiated_versions,
+ QuicString* error_details) {
+ if (!negotiated_versions.empty()) {
+ bool mismatch = server_versions.size() != negotiated_versions.size();
+ for (size_t i = 0; i < server_versions.size() && !mismatch; ++i) {
+ mismatch =
+ server_versions[i] != CreateQuicVersionLabel(negotiated_versions[i]);
+ }
+ // The server sent a list of supported versions, and the connection
+ // reports that there was a version negotiation during the handshake.
+ // Ensure that these two lists are identical.
+ if (mismatch) {
+ *error_details = QuicStrCat(
+ "Downgrade attack detected: ServerVersions(", server_versions.size(),
+ ")[", QuicVersionLabelVectorToString(server_versions, ",", 30),
+ "] NegotiatedVersions(", negotiated_versions.size(), ")[",
+ ParsedQuicVersionVectorToString(negotiated_versions, ",", 30), "]");
+ return QUIC_VERSION_NEGOTIATION_MISMATCH;
+ }
+ }
+ return QUIC_NO_ERROR;
+}
+
+QuicErrorCode CryptoUtils::ValidateClientHello(
+ const CryptoHandshakeMessage& client_hello,
+ ParsedQuicVersion version,
+ const ParsedQuicVersionVector& supported_versions,
+ QuicString* error_details) {
+ if (client_hello.tag() != kCHLO) {
+ *error_details = "Bad tag";
+ return QUIC_INVALID_CRYPTO_MESSAGE_TYPE;
+ }
+
+ // If the client's preferred version is not the version we are currently
+ // speaking, then the client went through a version negotiation. In this
+ // case, we need to make sure that we actually do not support this version
+ // and that it wasn't a downgrade attack.
+ QuicVersionLabel client_version_label;
+ if (client_hello.GetVersionLabel(kVER, &client_version_label) !=
+ QUIC_NO_ERROR) {
+ *error_details = "client hello missing version list";
+ return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
+ }
+ return ValidateClientHelloVersion(client_version_label, version,
+ supported_versions, error_details);
+}
+
+QuicErrorCode CryptoUtils::ValidateClientHelloVersion(
+ QuicVersionLabel client_version,
+ ParsedQuicVersion connection_version,
+ const ParsedQuicVersionVector& supported_versions,
+ QuicString* error_details) {
+ if (client_version != CreateQuicVersionLabel(connection_version)) {
+ // Check to see if |client_version| is actually on the supported versions
+ // list. If not, the server doesn't support that version and it's not a
+ // downgrade attack.
+ for (size_t i = 0; i < supported_versions.size(); ++i) {
+ if (client_version == CreateQuicVersionLabel(supported_versions[i])) {
+ *error_details = QuicStrCat(
+ "Downgrade attack detected: ClientVersion[",
+ QuicVersionLabelToString(client_version), "] SupportedVersions(",
+ supported_versions.size(), ")[",
+ ParsedQuicVersionVectorToString(supported_versions, ",", 30), "]");
+ return QUIC_VERSION_NEGOTIATION_MISMATCH;
+ }
+ }
+ }
+ return QUIC_NO_ERROR;
+}
+
+#define RETURN_STRING_LITERAL(x) \
+ case x: \
+ return #x
+
+// Returns the name of the HandshakeFailureReason as a char*
+// static
+const char* CryptoUtils::HandshakeFailureReasonToString(
+ HandshakeFailureReason reason) {
+ switch (reason) {
+ RETURN_STRING_LITERAL(HANDSHAKE_OK);
+ RETURN_STRING_LITERAL(CLIENT_NONCE_UNKNOWN_FAILURE);
+ RETURN_STRING_LITERAL(CLIENT_NONCE_INVALID_FAILURE);
+ RETURN_STRING_LITERAL(CLIENT_NONCE_NOT_UNIQUE_FAILURE);
+ RETURN_STRING_LITERAL(CLIENT_NONCE_INVALID_ORBIT_FAILURE);
+ RETURN_STRING_LITERAL(CLIENT_NONCE_INVALID_TIME_FAILURE);
+ RETURN_STRING_LITERAL(CLIENT_NONCE_STRIKE_REGISTER_TIMEOUT);
+ RETURN_STRING_LITERAL(CLIENT_NONCE_STRIKE_REGISTER_FAILURE);
+
+ RETURN_STRING_LITERAL(SERVER_NONCE_DECRYPTION_FAILURE);
+ RETURN_STRING_LITERAL(SERVER_NONCE_INVALID_FAILURE);
+ RETURN_STRING_LITERAL(SERVER_NONCE_NOT_UNIQUE_FAILURE);
+ RETURN_STRING_LITERAL(SERVER_NONCE_INVALID_TIME_FAILURE);
+ RETURN_STRING_LITERAL(SERVER_NONCE_REQUIRED_FAILURE);
+
+ RETURN_STRING_LITERAL(SERVER_CONFIG_INCHOATE_HELLO_FAILURE);
+ RETURN_STRING_LITERAL(SERVER_CONFIG_UNKNOWN_CONFIG_FAILURE);
+
+ RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_INVALID_FAILURE);
+ RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE);
+ RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_PARSE_FAILURE);
+ RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE);
+ RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE);
+ RETURN_STRING_LITERAL(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE);
+
+ RETURN_STRING_LITERAL(INVALID_EXPECTED_LEAF_CERTIFICATE);
+ RETURN_STRING_LITERAL(MAX_FAILURE_REASON);
+ }
+ // Return a default value so that we return this when |reason| doesn't match
+ // any HandshakeFailureReason.. This can happen when the message by the peer
+ // (attacker) has invalid reason.
+ return "INVALID_HANDSHAKE_FAILURE_REASON";
+}
+
+// static
+void CryptoUtils::HashHandshakeMessage(const CryptoHandshakeMessage& message,
+ QuicString* output,
+ Perspective perspective) {
+ const QuicData& serialized = message.GetSerialized();
+ uint8_t digest[SHA256_DIGEST_LENGTH];
+ SHA256(reinterpret_cast<const uint8_t*>(serialized.data()),
+ serialized.length(), digest);
+ output->assign(reinterpret_cast<const char*>(digest), sizeof(digest));
+}
+
+#undef RETURN_STRING_LITERAL // undef for jumbo builds
+} // namespace quic
