123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489 |
- #include "quic_record_shared.h"
- #include "internal/quic_record_util.h"
- #include "internal/common.h"
- #include "../ssl_local.h"
- /* Constants used for key derivation in QUIC v1. */
- static const unsigned char quic_v1_iv_label[] = {
- 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */
- };
- static const unsigned char quic_v1_key_label[] = {
- 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */
- };
- static const unsigned char quic_v1_hp_label[] = {
- 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */
- };
- static const unsigned char quic_v1_ku_label[] = {
- 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x75 /* "quic ku" */
- };
- OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level,
- int require_prov)
- {
- OSSL_QRL_ENC_LEVEL *el;
- if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM))
- return NULL;
- el = &els->el[enc_level];
- if (require_prov)
- switch (el->state) {
- case QRL_EL_STATE_PROV_NORMAL:
- case QRL_EL_STATE_PROV_UPDATING:
- case QRL_EL_STATE_PROV_COOLDOWN:
- break;
- default:
- return NULL;
- }
- return el;
- }
- int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- switch (el->state) {
- case QRL_EL_STATE_UNPROV:
- return 0;
- case QRL_EL_STATE_PROV_NORMAL:
- case QRL_EL_STATE_PROV_UPDATING:
- case QRL_EL_STATE_PROV_COOLDOWN:
- return 1;
- default:
- case QRL_EL_STATE_DISCARDED:
- return -1;
- }
- }
- int ossl_qrl_enc_level_set_has_keyslot(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level,
- unsigned char tgt_state,
- size_t keyslot)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- if (!ossl_assert(el != NULL && keyslot < 2))
- return 0;
- switch (tgt_state) {
- case QRL_EL_STATE_PROV_NORMAL:
- case QRL_EL_STATE_PROV_UPDATING:
- return enc_level == QUIC_ENC_LEVEL_1RTT || keyslot == 0;
- case QRL_EL_STATE_PROV_COOLDOWN:
- assert(enc_level == QUIC_ENC_LEVEL_1RTT);
- return keyslot == (el->key_epoch & 1);
- default:
- return 0;
- }
- }
- static void el_teardown_keyslot(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level,
- size_t keyslot)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- if (!ossl_qrl_enc_level_set_has_keyslot(els, enc_level, el->state, keyslot))
- return;
- if (el->cctx[keyslot] != NULL) {
- EVP_CIPHER_CTX_free(el->cctx[keyslot]);
- el->cctx[keyslot] = NULL;
- }
- OPENSSL_cleanse(el->iv[keyslot], sizeof(el->iv[keyslot]));
- }
- static int el_setup_keyslot(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level,
- unsigned char tgt_state,
- size_t keyslot,
- const unsigned char *secret,
- size_t secret_len)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- unsigned char key[EVP_MAX_KEY_LENGTH];
- size_t key_len = 0, iv_len = 0;
- const char *cipher_name = NULL;
- EVP_CIPHER *cipher = NULL;
- EVP_CIPHER_CTX *cctx = NULL;
- if (!ossl_assert(el != NULL
- && ossl_qrl_enc_level_set_has_keyslot(els, enc_level,
- tgt_state, keyslot))) {
- ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
- return 0;
- }
- cipher_name = ossl_qrl_get_suite_cipher_name(el->suite_id);
- iv_len = ossl_qrl_get_suite_cipher_iv_len(el->suite_id);
- key_len = ossl_qrl_get_suite_cipher_key_len(el->suite_id);
- if (cipher_name == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- if (secret_len != ossl_qrl_get_suite_secret_len(el->suite_id)
- || secret_len > EVP_MAX_KEY_LENGTH) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- assert(el->cctx[keyslot] == NULL);
- /* Derive "quic iv" key. */
- if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
- el->md,
- secret,
- quic_v1_iv_label,
- sizeof(quic_v1_iv_label),
- NULL, 0,
- el->iv[keyslot], iv_len, 1))
- goto err;
- /* Derive "quic key" key. */
- if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
- el->md,
- secret,
- quic_v1_key_label,
- sizeof(quic_v1_key_label),
- NULL, 0,
- key, key_len, 1))
- goto err;
- /* Create and initialise cipher context. */
- if ((cipher = EVP_CIPHER_fetch(el->libctx, cipher_name, el->propq)) == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
- goto err;
- }
- if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
- goto err;
- }
- if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher))
- || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher))) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- /* IV will be changed on RX/TX so we don't need to use a real value here. */
- if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv[keyslot], 0)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
- goto err;
- }
- el->cctx[keyslot] = cctx;
- /* Zeroize intermediate keys. */
- OPENSSL_cleanse(key, sizeof(key));
- EVP_CIPHER_free(cipher);
- return 1;
- err:
- EVP_CIPHER_CTX_free(cctx);
- EVP_CIPHER_free(cipher);
- OPENSSL_cleanse(el->iv[keyslot], sizeof(el->iv[keyslot]));
- OPENSSL_cleanse(key, sizeof(key));
- return 0;
- }
- int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els,
- OSSL_LIB_CTX *libctx,
- const char *propq,
- uint32_t enc_level,
- uint32_t suite_id,
- EVP_MD *md,
- const unsigned char *secret,
- size_t secret_len,
- unsigned char init_key_phase_bit,
- int is_tx)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- unsigned char ku_key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH];
- int have_ks0 = 0, have_ks1 = 0, own_md = 0;
- const char *md_name = ossl_qrl_get_suite_md_name(suite_id);
- size_t hpr_key_len, init_keyslot;
- if (el == NULL
- || md_name == NULL
- || init_key_phase_bit > 1 || is_tx < 0 || is_tx > 1
- || (init_key_phase_bit > 0 && enc_level != QUIC_ENC_LEVEL_1RTT)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
- return 0;
- }
- if (enc_level == QUIC_ENC_LEVEL_INITIAL
- && el->state == QRL_EL_STATE_PROV_NORMAL) {
- /*
- * Sometimes the INITIAL EL needs to be reprovisioned, namely if a
- * connection retry occurs. Exceptionally, if the caller wants to
- * reprovision the INITIAL EL, tear it down as usual and then override
- * the state so it can be provisioned again.
- */
- ossl_qrl_enc_level_set_discard(els, enc_level);
- el->state = QRL_EL_STATE_UNPROV;
- }
- if (el->state != QRL_EL_STATE_UNPROV) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- init_keyslot = is_tx ? 0 : init_key_phase_bit;
- hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id);
- if (hpr_key_len == 0) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- if (md == NULL) {
- md = EVP_MD_fetch(libctx, md_name, propq);
- if (md == NULL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
- return 0;
- }
- own_md = 1;
- }
- el->libctx = libctx;
- el->propq = propq;
- el->md = md;
- el->suite_id = suite_id;
- el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id);
- el->op_count = 0;
- el->key_epoch = (uint64_t)init_key_phase_bit;
- el->is_tx = (unsigned char)is_tx;
- /* Derive "quic hp" key. */
- if (!tls13_hkdf_expand_ex(libctx, propq,
- md,
- secret,
- quic_v1_hp_label,
- sizeof(quic_v1_hp_label),
- NULL, 0,
- hpr_key, hpr_key_len, 1))
- goto err;
- /* Setup KS0 (or KS1 if init_key_phase_bit), our initial keyslot. */
- if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
- init_keyslot, secret, secret_len))
- goto err;
- have_ks0 = 1;
- if (enc_level == QUIC_ENC_LEVEL_1RTT) {
- /* Derive "quic ku" key (the epoch 1 secret). */
- if (!tls13_hkdf_expand_ex(libctx, propq,
- md,
- secret,
- quic_v1_ku_label,
- sizeof(quic_v1_ku_label),
- NULL, 0,
- is_tx ? el->ku : ku_key, secret_len, 1))
- goto err;
- if (!is_tx) {
- /* Setup KS1 (or KS0 if init_key_phase_bit), our next keyslot. */
- if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
- !init_keyslot, ku_key, secret_len))
- goto err;
- have_ks1 = 1;
- /* Derive NEXT "quic ku" key (the epoch 2 secret). */
- if (!tls13_hkdf_expand_ex(libctx, propq,
- md,
- ku_key,
- quic_v1_ku_label,
- sizeof(quic_v1_ku_label),
- NULL, 0,
- el->ku, secret_len, 1))
- goto err;
- }
- }
- /* Setup header protection context. */
- if (!ossl_quic_hdr_protector_init(&el->hpr,
- libctx, propq,
- ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id),
- hpr_key, hpr_key_len))
- goto err;
- /*
- * We are now provisioned: KS0 has our current key (for key epoch 0), KS1
- * has our next key (for key epoch 1, in the case of the 1-RTT EL only), and
- * el->ku has the secret which will be used to generate keys for key epoch
- * 2.
- */
- OPENSSL_cleanse(hpr_key, sizeof(hpr_key));
- OPENSSL_cleanse(ku_key, sizeof(ku_key));
- el->state = QRL_EL_STATE_PROV_NORMAL;
- return 1;
- err:
- el->suite_id = 0;
- el->md = NULL;
- OPENSSL_cleanse(hpr_key, sizeof(hpr_key));
- OPENSSL_cleanse(ku_key, sizeof(ku_key));
- OPENSSL_cleanse(el->ku, sizeof(el->ku));
- if (have_ks0)
- el_teardown_keyslot(els, enc_level, init_keyslot);
- if (have_ks1)
- el_teardown_keyslot(els, enc_level, !init_keyslot);
- if (own_md)
- EVP_MD_free(md);
- return 0;
- }
- int ossl_qrl_enc_level_set_key_update(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- size_t secret_len;
- unsigned char new_ku[EVP_MAX_KEY_LENGTH];
- if (el == NULL || !ossl_assert(enc_level == QUIC_ENC_LEVEL_1RTT)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
- return 0;
- }
- if (el->state != QRL_EL_STATE_PROV_NORMAL) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- if (!el->is_tx) {
- /*
- * We already have the key for the next epoch, so just move to using it.
- */
- ++el->key_epoch;
- el->state = QRL_EL_STATE_PROV_UPDATING;
- return 1;
- }
- /*
- * TX case. For the TX side we use only keyslot 0; it replaces the old key
- * immediately.
- */
- secret_len = ossl_qrl_get_suite_secret_len(el->suite_id);
- /* Derive NEXT "quic ku" key (the epoch n+1 secret). */
- if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
- el->md, el->ku,
- quic_v1_ku_label,
- sizeof(quic_v1_ku_label),
- NULL, 0,
- new_ku, secret_len, 1))
- return 0;
- el_teardown_keyslot(els, enc_level, 0);
- /* Setup keyslot for CURRENT "quic ku" key. */
- if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
- 0, el->ku, secret_len))
- return 0;
- ++el->key_epoch;
- el->op_count = 0;
- memcpy(el->ku, new_ku, secret_len);
- /* Remain in PROV_NORMAL state */
- return 1;
- }
- /* Transitions from PROV_UPDATING to PROV_COOLDOWN. */
- int ossl_qrl_enc_level_set_key_update_done(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- if (el == NULL || !ossl_assert(enc_level == QUIC_ENC_LEVEL_1RTT)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
- return 0;
- }
- /* No new key yet, but erase key material to aid PFS. */
- el_teardown_keyslot(els, enc_level, ~el->key_epoch & 1);
- el->state = QRL_EL_STATE_PROV_COOLDOWN;
- return 1;
- }
- /*
- * Transitions from PROV_COOLDOWN to PROV_NORMAL. (If in PROV_UPDATING,
- * auto-transitions to PROV_COOLDOWN first.)
- */
- int ossl_qrl_enc_level_set_key_cooldown_done(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- size_t secret_len;
- unsigned char new_ku[EVP_MAX_KEY_LENGTH];
- if (el == NULL || !ossl_assert(enc_level == QUIC_ENC_LEVEL_1RTT)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
- return 0;
- }
- if (el->state == QRL_EL_STATE_PROV_UPDATING
- && !ossl_qrl_enc_level_set_key_update_done(els, enc_level)) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- if (el->state != QRL_EL_STATE_PROV_COOLDOWN) {
- ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- secret_len = ossl_qrl_get_suite_secret_len(el->suite_id);
- if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
- ~el->key_epoch & 1, el->ku, secret_len))
- return 0;
- /* Derive NEXT "quic ku" key (the epoch n+1 secret). */
- if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
- el->md,
- el->ku,
- quic_v1_ku_label,
- sizeof(quic_v1_ku_label),
- NULL, 0,
- new_ku, secret_len, 1)) {
- el_teardown_keyslot(els, enc_level, ~el->key_epoch & 1);
- return 0;
- }
- memcpy(el->ku, new_ku, secret_len);
- el->state = QRL_EL_STATE_PROV_NORMAL;
- return 1;
- }
- /*
- * Discards keying material for a given encryption level. Transitions from any
- * state to DISCARDED.
- */
- void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els,
- uint32_t enc_level)
- {
- OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
- if (el == NULL || el->state == QRL_EL_STATE_DISCARDED)
- return;
- if (ossl_qrl_enc_level_set_have_el(els, enc_level) == 1) {
- ossl_quic_hdr_protector_cleanup(&el->hpr);
- el_teardown_keyslot(els, enc_level, 0);
- el_teardown_keyslot(els, enc_level, 1);
- }
- EVP_MD_free(el->md);
- el->md = NULL;
- el->state = QRL_EL_STATE_DISCARDED;
- }
|