| QUICHE team | a6ef0a6 | 2019-03-07 20:34:33 -0500 | [diff] [blame] | 1 | // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include "net/third_party/quiche/src/quic/core/crypto/channel_id.h" |
| 6 | |
| 7 | #include <cstdint> |
| 8 | |
| 9 | #include "third_party/boringssl/src/include/openssl/bn.h" |
| 10 | #include "third_party/boringssl/src/include/openssl/ec.h" |
| 11 | #include "third_party/boringssl/src/include/openssl/ecdsa.h" |
| 12 | #include "third_party/boringssl/src/include/openssl/nid.h" |
| 13 | #include "third_party/boringssl/src/include/openssl/sha.h" |
| 14 | |
| 15 | namespace quic { |
| 16 | |
| 17 | // static |
| 18 | const char ChannelIDVerifier::kContextStr[] = "QUIC ChannelID"; |
| 19 | // static |
| 20 | const char ChannelIDVerifier::kClientToServerStr[] = "client -> server"; |
| 21 | |
| 22 | // static |
| 23 | bool ChannelIDVerifier::Verify(QuicStringPiece key, |
| 24 | QuicStringPiece signed_data, |
| 25 | QuicStringPiece signature) { |
| 26 | return VerifyRaw(key, signed_data, signature, true); |
| 27 | } |
| 28 | |
| 29 | // static |
| 30 | bool ChannelIDVerifier::VerifyRaw(QuicStringPiece key, |
| 31 | QuicStringPiece signed_data, |
| 32 | QuicStringPiece signature, |
| 33 | bool is_channel_id_signature) { |
| 34 | if (key.size() != 32 * 2 || signature.size() != 32 * 2) { |
| 35 | return false; |
| 36 | } |
| 37 | |
| 38 | bssl::UniquePtr<EC_GROUP> p256( |
| 39 | EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)); |
| 40 | if (p256.get() == nullptr) { |
| 41 | return false; |
| 42 | } |
| 43 | |
| 44 | bssl::UniquePtr<BIGNUM> x(BN_new()), y(BN_new()), r(BN_new()), s(BN_new()); |
| 45 | |
| 46 | ECDSA_SIG sig; |
| 47 | sig.r = r.get(); |
| 48 | sig.s = s.get(); |
| 49 | |
| 50 | const uint8_t* key_bytes = reinterpret_cast<const uint8_t*>(key.data()); |
| 51 | const uint8_t* signature_bytes = |
| 52 | reinterpret_cast<const uint8_t*>(signature.data()); |
| 53 | |
| 54 | if (BN_bin2bn(key_bytes + 0, 32, x.get()) == nullptr || |
| 55 | BN_bin2bn(key_bytes + 32, 32, y.get()) == nullptr || |
| 56 | BN_bin2bn(signature_bytes + 0, 32, sig.r) == nullptr || |
| 57 | BN_bin2bn(signature_bytes + 32, 32, sig.s) == nullptr) { |
| 58 | return false; |
| 59 | } |
| 60 | |
| 61 | bssl::UniquePtr<EC_POINT> point(EC_POINT_new(p256.get())); |
| 62 | if (point.get() == nullptr || |
| 63 | !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(), |
| 64 | y.get(), nullptr)) { |
| 65 | return false; |
| 66 | } |
| 67 | |
| 68 | bssl::UniquePtr<EC_KEY> ecdsa_key(EC_KEY_new()); |
| 69 | if (ecdsa_key.get() == nullptr || |
| 70 | !EC_KEY_set_group(ecdsa_key.get(), p256.get()) || |
| 71 | !EC_KEY_set_public_key(ecdsa_key.get(), point.get())) { |
| 72 | return false; |
| 73 | } |
| 74 | |
| 75 | SHA256_CTX sha256; |
| 76 | SHA256_Init(&sha256); |
| 77 | if (is_channel_id_signature) { |
| 78 | SHA256_Update(&sha256, kContextStr, strlen(kContextStr) + 1); |
| 79 | SHA256_Update(&sha256, kClientToServerStr, strlen(kClientToServerStr) + 1); |
| 80 | } |
| 81 | SHA256_Update(&sha256, signed_data.data(), signed_data.size()); |
| 82 | |
| 83 | unsigned char digest[SHA256_DIGEST_LENGTH]; |
| 84 | SHA256_Final(digest, &sha256); |
| 85 | |
| 86 | return ECDSA_do_verify(digest, sizeof(digest), &sig, ecdsa_key.get()) == 1; |
| 87 | } |
| 88 | |
| 89 | } // namespace quic |
