Blame - quic/core/crypto/aead_base_decrypter.cc - quiche

blob: ab441b7946676f3ffaf6f2d07032d38c9def51af [file] [log] [blame]

QUICHE team	a6ef0a6	2019-03-07 20:34:33 -0500	[diff] [blame]	1	// Copyright (c) 2013 The Chromium Authors. All rights reserved.
				2	// Use of this source code is governed by a BSD-style license that can be
				3	// found in the LICENSE file.
				4
				5	#include "net/third_party/quiche/src/quic/core/crypto/aead_base_decrypter.h"
				6
				7	#include <cstdint>
vasilvv	872e7a3	2019-03-12 16:42:44 -0700	[diff] [blame]	8	#include <string>
QUICHE team	a6ef0a6	2019-03-07 20:34:33 -0500	[diff] [blame]	9
				10	#include "third_party/boringssl/src/include/openssl/crypto.h"
				11	#include "third_party/boringssl/src/include/openssl/err.h"
				12	#include "third_party/boringssl/src/include/openssl/evp.h"
				13	#include "net/third_party/quiche/src/quic/core/quic_utils.h"
				14	#include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
				15	#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
				16	#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
QUICHE team	a6ef0a6	2019-03-07 20:34:33 -0500	[diff] [blame]	17
				18	namespace quic {
				19
				20	namespace {
				21
				22	// Clear OpenSSL error stack.
				23	void ClearOpenSslErrors() {
				24	while (ERR_get_error()) {
				25	}
				26	}
				27
				28	// In debug builds only, log OpenSSL error stack. Then clear OpenSSL error
				29	// stack.
				30	void DLogOpenSslErrors() {
				31	#ifdef NDEBUG
				32	ClearOpenSslErrors();
				33	#else
				34	while (uint32_t error = ERR_get_error()) {
				35	char buf[120];
				36	ERR_error_string_n(error, buf, QUIC_ARRAYSIZE(buf));
				37	QUIC_DLOG(ERROR) << "OpenSSL error: " << buf;
				38	}
				39	#endif
				40	}
				41
				42	const EVP_AEAD* InitAndCall(const EVP_AEAD* (*aead_getter)()) {
				43	// Ensure BoringSSL is initialized before calling \|aead_getter\|. In Chromium,
				44	// the static initializer is disabled.
				45	CRYPTO_library_init();
				46	return aead_getter();
				47	}
				48
				49	} // namespace
				50
				51	AeadBaseDecrypter::AeadBaseDecrypter(const EVP_AEAD* (*aead_getter)(),
				52	size_t key_size,
				53	size_t auth_tag_size,
				54	size_t nonce_size,
				55	bool use_ietf_nonce_construction)
				56	: aead_alg_(InitAndCall(aead_getter)),
				57	key_size_(key_size),
				58	auth_tag_size_(auth_tag_size),
				59	nonce_size_(nonce_size),
				60	use_ietf_nonce_construction_(use_ietf_nonce_construction),
				61	have_preliminary_key_(false) {
				62	DCHECK_GT(256u, key_size);
				63	DCHECK_GT(256u, auth_tag_size);
				64	DCHECK_GT(256u, nonce_size);
				65	DCHECK_LE(key_size_, sizeof(key_));
				66	DCHECK_LE(nonce_size_, sizeof(iv_));
				67	}
				68
				69	AeadBaseDecrypter::~AeadBaseDecrypter() {}
				70
				71	bool AeadBaseDecrypter::SetKey(QuicStringPiece key) {
				72	DCHECK_EQ(key.size(), key_size_);
				73	if (key.size() != key_size_) {
				74	return false;
				75	}
				76	memcpy(key_, key.data(), key.size());
				77
				78	EVP_AEAD_CTX_cleanup(ctx_.get());
				79	if (!EVP_AEAD_CTX_init(ctx_.get(), aead_alg_, key_, key_size_, auth_tag_size_,
				80	nullptr)) {
				81	DLogOpenSslErrors();
				82	return false;
				83	}
				84
				85	return true;
				86	}
				87
				88	bool AeadBaseDecrypter::SetNoncePrefix(QuicStringPiece nonce_prefix) {
				89	if (use_ietf_nonce_construction_) {
				90	QUIC_BUG << "Attempted to set nonce prefix on IETF QUIC crypter";
				91	return false;
				92	}
				93	DCHECK_EQ(nonce_prefix.size(), nonce_size_ - sizeof(QuicPacketNumber));
				94	if (nonce_prefix.size() != nonce_size_ - sizeof(QuicPacketNumber)) {
				95	return false;
				96	}
				97	memcpy(iv_, nonce_prefix.data(), nonce_prefix.size());
				98	return true;
				99	}
				100
				101	bool AeadBaseDecrypter::SetIV(QuicStringPiece iv) {
				102	if (!use_ietf_nonce_construction_) {
				103	QUIC_BUG << "Attempted to set IV on Google QUIC crypter";
				104	return false;
				105	}
				106	DCHECK_EQ(iv.size(), nonce_size_);
				107	if (iv.size() != nonce_size_) {
				108	return false;
				109	}
				110	memcpy(iv_, iv.data(), iv.size());
				111	return true;
				112	}
				113
				114	bool AeadBaseDecrypter::SetPreliminaryKey(QuicStringPiece key) {
				115	DCHECK(!have_preliminary_key_);
				116	SetKey(key);
				117	have_preliminary_key_ = true;
				118
				119	return true;
				120	}
				121
				122	bool AeadBaseDecrypter::SetDiversificationNonce(
				123	const DiversificationNonce& nonce) {
				124	if (!have_preliminary_key_) {
				125	return true;
				126	}
				127
vasilvv	c48c871	2019-03-11 13:38:16 -0700	[diff] [blame]	128	std::string key, nonce_prefix;
nharper	c1bbfe6	2019-09-27 16:48:40 -0700	[diff] [blame]	129	size_t prefix_size = nonce_size_;
				130	if (!use_ietf_nonce_construction_) {
				131	prefix_size -= sizeof(QuicPacketNumber);
				132	}
QUICHE team	a6ef0a6	2019-03-07 20:34:33 -0500	[diff] [blame]	133	DiversifyPreliminaryKey(
				134	QuicStringPiece(reinterpret_cast<const char*>(key_), key_size_),
				135	QuicStringPiece(reinterpret_cast<const char*>(iv_), prefix_size), nonce,
				136	key_size_, prefix_size, &key, &nonce_prefix);
				137
nharper	c1bbfe6	2019-09-27 16:48:40 -0700	[diff] [blame]	138	if (!SetKey(key) \|\|
				139	(!use_ietf_nonce_construction_ && !SetNoncePrefix(nonce_prefix)) \|\|
				140	(use_ietf_nonce_construction_ && !SetIV(nonce_prefix))) {
QUICHE team	a6ef0a6	2019-03-07 20:34:33 -0500	[diff] [blame]	141	DCHECK(false);
				142	return false;
				143	}
				144
				145	have_preliminary_key_ = false;
				146	return true;
				147	}
				148
				149	bool AeadBaseDecrypter::DecryptPacket(uint64_t packet_number,
				150	QuicStringPiece associated_data,
				151	QuicStringPiece ciphertext,
				152	char* output,
				153	size_t* output_length,
				154	size_t max_output_length) {
				155	if (ciphertext.length() < auth_tag_size_) {
				156	return false;
				157	}
				158
				159	if (have_preliminary_key_) {
				160	QUIC_BUG << "Unable to decrypt while key diversification is pending";
				161	return false;
				162	}
				163
				164	uint8_t nonce[kMaxNonceSize];
				165	memcpy(nonce, iv_, nonce_size_);
				166	size_t prefix_len = nonce_size_ - sizeof(packet_number);
				167	if (use_ietf_nonce_construction_) {
				168	for (size_t i = 0; i < sizeof(packet_number); ++i) {
				169	nonce[prefix_len + i] ^=
				170	(packet_number >> ((sizeof(packet_number) - i - 1) * 8)) & 0xff;
				171	}
				172	} else {
				173	memcpy(nonce + prefix_len, &packet_number, sizeof(packet_number));
				174	}
				175	if (!EVP_AEAD_CTX_open(
				176	ctx_.get(), reinterpret_cast<uint8_t*>(output), output_length,
				177	max_output_length, reinterpret_cast<const uint8_t*>(nonce),
				178	nonce_size_, reinterpret_cast<const uint8_t*>(ciphertext.data()),
				179	ciphertext.size(),
				180	reinterpret_cast<const uint8_t*>(associated_data.data()),
				181	associated_data.size())) {
				182	// Because QuicFramer does trial decryption, decryption errors are expected
				183	// when encryption level changes. So we don't log decryption errors.
				184	ClearOpenSslErrors();
				185	return false;
				186	}
				187	return true;
				188	}
				189
				190	size_t AeadBaseDecrypter::GetKeySize() const {
				191	return key_size_;
				192	}
				193
nharper	965e592	2019-09-23 22:33:54 -0700	[diff] [blame]	194	size_t AeadBaseDecrypter::GetNoncePrefixSize() const {
				195	return nonce_size_ - sizeof(QuicPacketNumber);
				196	}
				197
QUICHE team	a6ef0a6	2019-03-07 20:34:33 -0500	[diff] [blame]	198	size_t AeadBaseDecrypter::GetIVSize() const {
				199	return nonce_size_;
				200	}
				201
				202	QuicStringPiece AeadBaseDecrypter::GetKey() const {
				203	return QuicStringPiece(reinterpret_cast<const char*>(key_), key_size_);
				204	}
				205
				206	QuicStringPiece AeadBaseDecrypter::GetNoncePrefix() const {
				207	return QuicStringPiece(reinterpret_cast<const char*>(iv_),
				208	nonce_size_ - sizeof(QuicPacketNumber));
				209	}
				210
				211	} // namespace quic