Google Git
Sign in
quiche / quiche / 2e72f388f28e6abc09bed6c66f26f41cc3fcaa32 / . / quic / core / crypto / crypto_utils.h
blob: b88177883fd67600982aacd87559152d375a894e [file] [log] [blame]
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]1// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// Some helpers for quic crypto
6
7#ifndef QUICHE_QUIC_CORE_CRYPTO_CRYPTO_UTILS_H_
8#define QUICHE_QUIC_CORE_CRYPTO_CRYPTO_UTILS_H_
9
10#include <cstddef>
11#include <cstdint>
vasilvv872e7a32019-03-12 16:42:44 -0700[diff] [blame]12#include <string>
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]13
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]14#include "third_party/boringssl/src/include/openssl/evp.h"
15#include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h"
16#include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.h"
17#include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
18#include "net/third_party/quiche/src/quic/core/crypto/quic_crypter.h"
19#include "net/third_party/quiche/src/quic/core/quic_packets.h"
20#include "net/third_party/quiche/src/quic/core/quic_time.h"
21#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]22#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
23
24namespace quic {
25
26class QuicRandom;
27
28class QUIC_EXPORT_PRIVATE CryptoUtils {
29 public:
30 CryptoUtils() = delete;
31
32 // Diversification is a utility class that's used to act like a union type.
33 // Values can be created by calling the functions like |NoDiversification|,
34 // below.
35 class Diversification {
36 public:
37 enum Mode {
38 NEVER, // Key diversification will never be used. Forward secure
39 // crypters will always use this mode.
40
41 PENDING, // Key diversification will happen when a nonce is later
42 // received. This should only be used by clients initial
43 // decrypters which are waiting on the divesification nonce
44 // from the server.
45
46 NOW, // Key diversification will happen immediate based on the nonce.
47 // This should only be used by servers initial encrypters.
48 };
49
50 Diversification(const Diversification& diversification) = default;
51
52 static Diversification Never() { return Diversification(NEVER, nullptr); }
53 static Diversification Pending() {
54 return Diversification(PENDING, nullptr);
55 }
56 static Diversification Now(DiversificationNonce* nonce) {
57 return Diversification(NOW, nonce);
58 }
59
60 Mode mode() const { return mode_; }
61 DiversificationNonce* nonce() const {
62 DCHECK_EQ(mode_, NOW);
63 return nonce_;
64 }
65
66 private:
67 Diversification(Mode mode, DiversificationNonce* nonce)
68 : mode_(mode), nonce_(nonce) {}
69
70 Mode mode_;
71 DiversificationNonce* nonce_;
72 };
73
74 // SetKeyAndIV derives the key and IV from the given packet protection secret
75 // |pp_secret| and sets those fields on the given QuicCrypter |*crypter|.
76 // This follows the derivation described in section 7.3 of RFC 8446, except
77 // with the label prefix in HKDF-Expand-Label changed from "tls13 " to "quic "
78 // as described in draft-ietf-quic-tls-14, section 5.1.
79 static void SetKeyAndIV(const EVP_MD* prf,
80 const std::vector<uint8_t>& pp_secret,
81 QuicCrypter* crypter);
82
83 // QUIC encrypts TLS handshake messages with a version-specific key (to
84 // prevent network observers that are not aware of that QUIC version from
85 // making decisions based on the TLS handshake). This packet protection secret
86 // is derived from the connection ID in the client's Initial packet.
87 //
88 // This function takes that |connection_id| and creates the encrypter and
89 // decrypter (put in |*crypters|) to use for this packet protection, as well
90 // as setting the key and IV on those crypters.
91 static void CreateTlsInitialCrypters(Perspective perspective,
92 QuicTransportVersion version,
93 QuicConnectionId connection_id,
94 CrypterPair* crypters);
95
96 // Generates the connection nonce. The nonce is formed as:
97 // <4 bytes> current time
98 // <8 bytes> |orbit| (or random if |orbit| is empty)
99 // <20 bytes> random
100 static void GenerateNonce(QuicWallTime now,
101 QuicRandom* random_generator,
102 QuicStringPiece orbit,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]103 std::string* nonce);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]104
105 // DeriveKeys populates |crypters->encrypter|, |crypters->decrypter|, and
106 // |subkey_secret| (optional -- may be null) given the contents of
107 // |premaster_secret|, |client_nonce|, |server_nonce| and |hkdf_input|. |aead|
108 // determines which cipher will be used. |perspective| controls whether the
109 // server's keys are assigned to |encrypter| or |decrypter|. |server_nonce| is
110 // optional and, if non-empty, is mixed into the key derivation.
111 // |subkey_secret| will have the same length as |premaster_secret|.
112 //
113 // If |pre_shared_key| is non-empty, it is incorporated into the key
114 // derivation parameters. If it is empty, the key derivation is unaltered.
115 //
116 // If the mode of |diversification| is NEVER, the the crypters will be
117 // configured to never perform key diversification. If the mode is
118 // NOW (which is only for servers, then the encrypter will be keyed via a
119 // two-step process that uses the nonce from |diversification|.
120 // If the mode is PENDING (which is only for servres), then the
121 // decrypter will only be keyed to a preliminary state: a call to
122 // |SetDiversificationNonce| with a diversification nonce will be needed to
123 // complete keying.
124 static bool DeriveKeys(QuicStringPiece premaster_secret,
125 QuicTag aead,
126 QuicStringPiece client_nonce,
127 QuicStringPiece server_nonce,
128 QuicStringPiece pre_shared_key,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]129 const std::string& hkdf_input,
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]130 Perspective perspective,
131 Diversification diversification,
132 CrypterPair* crypters,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]133 std::string* subkey_secret);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]134
135 // Performs key extraction to derive a new secret of |result_len| bytes
136 // dependent on |subkey_secret|, |label|, and |context|. Returns false if the
137 // parameters are invalid (e.g. |label| contains null bytes); returns true on
138 // success.
139 static bool ExportKeyingMaterial(QuicStringPiece subkey_secret,
140 QuicStringPiece label,
141 QuicStringPiece context,
142 size_t result_len,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]143 std::string* result);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]144
145 // Computes the FNV-1a hash of the provided DER-encoded cert for use in the
146 // XLCT tag.
147 static uint64_t ComputeLeafCertHash(QuicStringPiece cert);
148
149 // Validates that |server_hello| is actually an SHLO message and that it is
150 // not part of a downgrade attack.
151 //
152 // Returns QUIC_NO_ERROR if this is the case or returns the appropriate error
153 // code and sets |error_details|.
154 static QuicErrorCode ValidateServerHello(
155 const CryptoHandshakeMessage& server_hello,
156 const ParsedQuicVersionVector& negotiated_versions,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]157 std::string* error_details);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]158
159 // Validates that the |server_versions| received do not indicate that the
160 // ServerHello is part of a downgrade attack. |negotiated_versions| must
161 // contain the list of versions received in the server's version negotiation
162 // packet (or be empty if no such packet was received).
163 //
164 // Returns QUIC_NO_ERROR if this is the case or returns the appropriate error
165 // code and sets |error_details|.
166 static QuicErrorCode ValidateServerHelloVersions(
167 const QuicVersionLabelVector& server_versions,
168 const ParsedQuicVersionVector& negotiated_versions,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]169 std::string* error_details);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]170
171 // Validates that |client_hello| is actually a CHLO and that this is not part
172 // of a downgrade attack.
173 // This includes verifiying versions and detecting downgrade attacks.
174 //
175 // Returns QUIC_NO_ERROR if this is the case or returns the appropriate error
176 // code and sets |error_details|.
177 static QuicErrorCode ValidateClientHello(
178 const CryptoHandshakeMessage& client_hello,
179 ParsedQuicVersion version,
180 const ParsedQuicVersionVector& supported_versions,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]181 std::string* error_details);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]182
183 // Validates that the |client_version| received does not indicate that a
184 // downgrade attack has occurred. |connection_version| is the version of the
185 // QuicConnection, and |supported_versions| is all versions that that
186 // QuicConnection supports.
187 //
188 // Returns QUIC_NO_ERROR if this is the case or returns the appropriate error
189 // code and sets |error_details|.
190 static QuicErrorCode ValidateClientHelloVersion(
191 QuicVersionLabel client_version,
192 ParsedQuicVersion connection_version,
193 const ParsedQuicVersionVector& supported_versions,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]194 std::string* error_details);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]195
196 // Returns the name of the HandshakeFailureReason as a char*
197 static const char* HandshakeFailureReasonToString(
198 HandshakeFailureReason reason);
199
QUICHE team84910bd2019-03-15 07:03:40 -0700[diff] [blame]200 // Returns a hash of the serialized |message|.
rchd5d13c22019-03-18 14:31:09 -0700[diff] [blame]201 static std::string HashHandshakeMessage(const CryptoHandshakeMessage& message,
202 Perspective perspective);
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]203
204 private:
205 // Implements the HKDF-Expand-Label function as defined in section 7.1 of RFC
206 // 8446, except that it uses "quic " as the prefix instead of "tls13 ", as
207 // specified by draft-ietf-quic-tls-14. The HKDF-Expand-Label function takes 4
208 // explicit arguments (Secret, Label, Context, and Length), as well as
209 // implicit PRF which is the hash function negotiated by TLS. Its use in QUIC
210 // (as needed by the QUIC stack, instead of as used internally by the TLS
211 // stack) is only for deriving initial secrets for obfuscation and for
212 // calculating packet protection keys and IVs from the corresponding packet
213 // protection secret. Neither of these uses need a Context (a zero-length
214 // context is provided), so this argument is omitted here.
215 //
216 // The implicit PRF is explicitly passed into HkdfExpandLabel as |prf|; the
217 // Secret, Label, and Length are passed in as |secret|, |label|, and
218 // |out_len|, respectively. The resulting expanded secret is returned.
219 static std::vector<uint8_t> HkdfExpandLabel(
220 const EVP_MD* prf,
221 const std::vector<uint8_t>& secret,
vasilvvc48c8712019-03-11 13:38:16 -0700[diff] [blame]222 const std::string& label,
QUICHE teama6ef0a62019-03-07 20:34:33 -0500[diff] [blame]223 size_t out_len);
224};
225
226} // namespace quic
227
228#endif // QUICHE_QUIC_CORE_CRYPTO_CRYPTO_UTILS_H_