// Copyright (c) 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "quiche/quic/core/crypto/crypto_utils.h" #include <algorithm> #include <memory> #include <optional> #include <string> #include <utility> #include <vector> #include "absl/base/macros.h" #include "absl/strings/str_cat.h" #include "absl/strings/string_view.h" #include "openssl/bytestring.h" #include "openssl/hkdf.h" #include "openssl/mem.h" #include "openssl/sha.h" #include "quiche/quic/core/crypto/aes_128_gcm_12_decrypter.h" #include "quiche/quic/core/crypto/aes_128_gcm_12_encrypter.h" #include "quiche/quic/core/crypto/aes_128_gcm_decrypter.h" #include "quiche/quic/core/crypto/aes_128_gcm_encrypter.h" #include "quiche/quic/core/crypto/crypto_handshake.h" #include "quiche/quic/core/crypto/crypto_protocol.h" #include "quiche/quic/core/crypto/null_decrypter.h" #include "quiche/quic/core/crypto/null_encrypter.h" #include "quiche/quic/core/crypto/quic_decrypter.h" #include "quiche/quic/core/crypto/quic_encrypter.h" #include "quiche/quic/core/crypto/quic_hkdf.h" #include "quiche/quic/core/crypto/quic_random.h" #include "quiche/quic/core/quic_connection_id.h" #include "quiche/quic/core/quic_constants.h" #include "quiche/quic/core/quic_data_writer.h" #include "quiche/quic/core/quic_time.h" #include "quiche/quic/core/quic_utils.h" #include "quiche/quic/core/quic_versions.h" #include "quiche/quic/platform/api/quic_bug_tracker.h" #include "quiche/quic/platform/api/quic_logging.h" #include "quiche/common/quiche_endian.h" namespace quic { namespace { // Implements the HKDF-Expand-Label function as defined in section 7.1 of RFC // 8446. The HKDF-Expand-Label function takes 4 explicit arguments (Secret, // Label, Context, and Length), as well as implicit PRF which is the hash // function negotiated by TLS. Its use in QUIC (as needed by the QUIC stack, // instead of as used internally by the TLS stack) is only for deriving initial // secrets for obfuscation, for calculating packet protection keys and IVs from // the corresponding packet protection secret and key update in the same quic // session. None of these uses need a Context (a zero-length context is // provided), so this argument is omitted here. // // The implicit PRF is explicitly passed into HkdfExpandLabel as |prf|; the // Secret, Label, and Length are passed in as |secret|, |label|, and // |out_len|, respectively. The resulting expanded secret is returned. std::vector<uint8_t> HkdfExpandLabel(const EVP_MD* prf, absl::Span<const uint8_t> secret, const std::string& label, size_t out_len) { … } } // namespace const std::string getLabelForVersion(const ParsedQuicVersion& version, const absl::string_view& predicate) { … } void CryptoUtils::InitializeCrypterSecrets( const EVP_MD* prf, const std::vector<uint8_t>& pp_secret, const ParsedQuicVersion& version, QuicCrypter* crypter) { … } void CryptoUtils::SetKeyAndIV(const EVP_MD* prf, absl::Span<const uint8_t> pp_secret, const ParsedQuicVersion& version, QuicCrypter* crypter) { … } std::vector<uint8_t> CryptoUtils::GenerateHeaderProtectionKey( const EVP_MD* prf, absl::Span<const uint8_t> pp_secret, const ParsedQuicVersion& version, size_t out_len) { … } std::vector<uint8_t> CryptoUtils::GenerateNextKeyPhaseSecret( const EVP_MD* prf, const ParsedQuicVersion& version, const std::vector<uint8_t>& current_secret) { … } namespace { // Salt from https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-5.2 const uint8_t kDraft29InitialSalt[] = …; const uint8_t kRFCv1InitialSalt[] = …; const uint8_t kRFCv2InitialSalt[] = …; // Salts used by deployed versions of QUIC. When introducing a new version, // generate a new salt by running `openssl rand -hex 20`. // Salt to use for initial obfuscators in // ParsedQuicVersion::ReservedForNegotiation(). const uint8_t kReservedForNegotiationSalt[] = …; const uint8_t* InitialSaltForVersion(const ParsedQuicVersion& version, size_t* out_len) { … } const char kPreSharedKeyLabel[] = …; // Retry Integrity Protection Keys and Nonces. // https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-5.8 // When introducing a new Google version, generate a new key by running // `openssl rand -hex 16`. const uint8_t kDraft29RetryIntegrityKey[] = …; const uint8_t kDraft29RetryIntegrityNonce[] = …; const uint8_t kRFCv1RetryIntegrityKey[] = …; const uint8_t kRFCv1RetryIntegrityNonce[] = …; const uint8_t kRFCv2RetryIntegrityKey[] = …; const uint8_t kRFCv2RetryIntegrityNonce[] = …; // Retry integrity key used by ParsedQuicVersion::ReservedForNegotiation(). const uint8_t kReservedForNegotiationRetryIntegrityKey[] = …; // When introducing a new Google version, generate a new nonce by running // `openssl rand -hex 12`. // Retry integrity nonce used by ParsedQuicVersion::ReservedForNegotiation(). const uint8_t kReservedForNegotiationRetryIntegrityNonce[] = …; bool RetryIntegrityKeysForVersion(const ParsedQuicVersion& version, absl::string_view* key, absl::string_view* nonce) { … } } // namespace // static void CryptoUtils::CreateInitialObfuscators(Perspective perspective, ParsedQuicVersion version, QuicConnectionId connection_id, CrypterPair* crypters) { … } // static bool CryptoUtils::ValidateRetryIntegrityTag( ParsedQuicVersion version, QuicConnectionId original_connection_id, absl::string_view retry_without_tag, absl::string_view integrity_tag) { … } // static void CryptoUtils::GenerateNonce(QuicWallTime now, QuicRandom* random_generator, absl::string_view orbit, std::string* nonce) { … } // static bool CryptoUtils::DeriveKeys( const ParsedQuicVersion& version, absl::string_view premaster_secret, QuicTag aead, absl::string_view client_nonce, absl::string_view server_nonce, absl::string_view pre_shared_key, const std::string& hkdf_input, Perspective perspective, Diversification diversification, CrypterPair* crypters, std::string* subkey_secret) { … } // static uint64_t CryptoUtils::ComputeLeafCertHash(absl::string_view cert) { … } QuicErrorCode CryptoUtils::ValidateServerHello( const CryptoHandshakeMessage& server_hello, const ParsedQuicVersionVector& negotiated_versions, std::string* error_details) { … } QuicErrorCode CryptoUtils::ValidateServerHelloVersions( const QuicVersionLabelVector& server_versions, const ParsedQuicVersionVector& negotiated_versions, std::string* error_details) { … } QuicErrorCode CryptoUtils::ValidateClientHello( const CryptoHandshakeMessage& client_hello, ParsedQuicVersion version, const ParsedQuicVersionVector& supported_versions, std::string* error_details) { … } QuicErrorCode CryptoUtils::ValidateClientHelloVersion( QuicVersionLabel client_version, ParsedQuicVersion connection_version, const ParsedQuicVersionVector& supported_versions, std::string* error_details) { … } // static bool CryptoUtils::ValidateChosenVersion( const QuicVersionLabel& version_information_chosen_version, const ParsedQuicVersion& session_version, std::string* error_details) { … } // static bool CryptoUtils::ValidateServerVersions( const QuicVersionLabelVector& version_information_other_versions, const ParsedQuicVersion& session_version, const ParsedQuicVersionVector& client_original_supported_versions, std::string* error_details) { … } #define RETURN_STRING_LITERAL … // Returns the name of the HandshakeFailureReason as a char* // static const char* CryptoUtils::HandshakeFailureReasonToString( HandshakeFailureReason reason) { … } #undef RETURN_STRING_LITERAL // undef for jumbo builds // static std::string CryptoUtils::EarlyDataReasonToString( ssl_early_data_reason_t reason) { … } // static std::string CryptoUtils::HashHandshakeMessage( const CryptoHandshakeMessage& message, Perspective /*perspective*/) { … } // static bool CryptoUtils::GetSSLCapabilities(const SSL* ssl, bssl::UniquePtr<uint8_t>* capabilities, size_t* capabilities_len) { … } // static std::optional<std::string> CryptoUtils::GenerateProofPayloadToBeSigned( absl::string_view chlo_hash, absl::string_view server_config) { … } } // namespace quic
Codebase Browser
chromium