lsquic_crypto.c revision 229fce07
1/* Copyright (c) 2017 - 2019 LiteSpeed Technologies Inc.  See LICENSE. */
2#include <assert.h>
3#include <string.h>
4
5#include <openssl/ssl.h>
6#include <openssl/crypto.h>
7#include <openssl/stack.h>
8#include <openssl/x509.h>
9#include <openssl/rand.h>
10#include <openssl/curve25519.h>
11#include <openssl/hmac.h>
12
13#include <zlib.h>
14#ifdef WIN32
15#include <vc_compat.h>
16#endif
17
18#include "lsquic_types.h"
19#include "lsquic_crypto.h"
20#include "lsquic_alarmset.h"
21#include "lsquic_parse.h"
22#include "lsquic_util.h"
23#include "lsquic_str.h"
24
25#define LSQUIC_LOGGER_MODULE LSQLM_CRYPTO
26#include "lsquic_logger.h"
27
28
29static const char s_hs_signature[] = "QUIC CHLO and server config signature";
30static int crypto_inited = 0;
31
32
33void rand_bytes(void *data, int len)
34{
35    RAND_bytes(data, len);
36}
37
38
39uint64_t fnv1a_64(const uint8_t * data, int len)
40{
41    uint64_t hash = UINT64_C(14695981039346656037);
42    const uint8_t *end = data + len;
43    while(data < end)
44    {
45        hash ^= *data;
46        hash *= UINT64_C(1099511628211);
47        ++data;
48    }
49    return hash;
50}
51
52
53void fnv1a_64_s(const uint8_t * data, int len, char *md)
54{
55    uint64_t hash = fnv1a_64(data, len);
56    memcpy(md, (void *)&hash, 8);
57}
58
59
60#if defined( __x86_64 )||defined( __x86_64__ )
61
62static uint128 s_prime;
63static uint128 s_init_hash;
64
65
66static inline void make_uint128(uint128 *v, uint64_t hi, uint64_t lo)
67{
68    *v = hi;
69    *v <<= 64;
70    *v += lo;
71}
72
73
74void fnv1a_inc(uint128 *hash, const uint8_t *data, int len)
75{
76    const uint8_t* end = data + len;
77    while(data < end)
78    {
79        *hash = (*hash ^ (*data)) * s_prime;
80        ++data;
81    }
82}
83
84uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t *data2, int len2)
85{
86    uint128 hash;
87    memcpy(&hash, &s_init_hash, 16);
88
89    fnv1a_inc(&hash, data1, len1);
90    if (data2)
91        fnv1a_inc(&hash, data2, len2);
92    return hash;
93}
94
95uint128 fnv1a_128_3(const uint8_t *data1, int len1,
96                      const uint8_t *data2, int len2,
97                      const uint8_t *data3, int len3)
98{
99    uint128 hash;
100    memcpy(&hash, &s_init_hash, 16);
101
102    fnv1a_inc(&hash, data1, len1);
103    fnv1a_inc(&hash, data2, len2);
104    fnv1a_inc(&hash, data3, len3);
105    return hash;
106}
107
108void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t  *md)
109{
110    uint128 hash = fnv1a_128_2(data1, len1, data2, len2);
111    memcpy(md, (void *)&hash, 16);
112}
113
114/* HS_PKT_HASH_LENGTH bytes of md */
115void serialize_fnv128_short(uint128 v, uint8_t *md)
116{
117    memcpy(md, (void *)&v, 12);
118}
119
120#else
121uint128  *uint128_times(uint128 *v, const uint128 *factor)
122{
123    uint64_t a96 = v->hi_ >> 32;
124    uint64_t a64 = v->hi_ & 0xffffffffu;
125    uint64_t a32 = v->lo_ >> 32;
126    uint64_t a00 = v->lo_ & 0xffffffffu;
127    uint64_t b96 = factor->hi_ >> 32;
128    uint64_t b64 = factor->hi_ & 0xffffffffu;
129    uint64_t b32 = factor->lo_ >> 32;
130    uint64_t b00 = factor->lo_ & 0xffffffffu;
131    uint64_t tmp, lolo;
132    // multiply [a96 .. a00] x [b96 .. b00]
133    // terms higher than c96 disappear off the high side
134    // terms c96 and c64 are safe to ignore carry bit
135    uint64_t c96 = a96 * b00 + a64 * b32 + a32 * b64 + a00 * b96;
136    uint64_t c64 = a64 * b00 + a32 * b32 + a00 * b64;
137    v->hi_ = (c96 << 32) + c64;
138    v->lo_ = 0;
139
140    tmp = a32 * b00;
141    v->hi_ += tmp >> 32;
142    v->lo_ += tmp << 32;
143
144    tmp = a00 * b32;
145    v->hi_ += tmp >> 32;
146    v->lo_ += tmp << 32;
147
148    tmp = a00 * b00;
149    lolo = v->lo_ + tmp;
150    if (lolo < v->lo_)
151        ++v->hi_;
152    v->lo_ = lolo;
153
154    return v;
155}
156
157void fnv1a_inc(uint128 *hash, const uint8_t * data, int len)
158{
159    static const uint128 kPrime = {16777216, 315};
160    const uint8_t* end = data + len;
161    while(data < end)
162    {
163        hash->lo_ = (hash->lo_ ^ (uint64_t)*data);
164        uint128_times(hash, &kPrime);
165        ++data;
166    }
167}
168
169
170uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t * data2, int len2)
171{
172    uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)};
173    fnv1a_inc(&hash, data1, len1);
174    if (data2)
175        fnv1a_inc(&hash, data2, len2);
176    return hash;
177}
178
179
180uint128 fnv1a_128_3(const uint8_t * data1, int len1,
181                      const uint8_t * data2, int len2,
182                      const uint8_t * data3, int len3)
183{
184    uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)};
185    fnv1a_inc(&hash, data1, len1);
186    fnv1a_inc(&hash, data2, len2);
187    fnv1a_inc(&hash, data3, len3);
188    return hash;
189}
190
191
192void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t  *md)
193{
194    uint128 hash = fnv1a_128_2(data1, len1, data2, len2);
195    memcpy(md, (void *)&hash.lo_, 8);
196    memcpy(md + 8, (void *)&hash.hi_, 8);
197}
198
199/* HS_PKT_HASH_LENGTH bytes of md */
200void serialize_fnv128_short(uint128 v, uint8_t *md)
201{
202    assert(HS_PKT_HASH_LENGTH == 8 + 4);
203    memcpy(md, (void *)&v.lo_, 8);
204    memcpy(md + 8, (void *)&v.hi_, 4);
205}
206
207#endif
208
209uint128 fnv1a_128(const uint8_t * data, int len)
210{
211    return fnv1a_128_2(data, len , NULL, 0);
212}
213
214
215void fnv1a_128_s(const uint8_t * data, int len, uint8_t  *md)
216{
217    fnv1a_128_2_s(data, len, NULL, 0, md);
218}
219
220
221/* packet data = header + MD + payload */
222/* return 0 if OK */
223int verify_hs_pkt(const uint8_t *pkg_data, size_t header_len, size_t pkg_len)
224{
225    uint8_t md[HS_PKT_HASH_LENGTH];
226    uint128 hash;
227    if (pkg_len < header_len + HS_PKT_HASH_LENGTH)
228        return -1;
229
230    hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH,
231                       pkg_len - header_len - HS_PKT_HASH_LENGTH);
232    serialize_fnv128_short(hash, md);
233    return memcmp(md, pkg_data + header_len, HS_PKT_HASH_LENGTH);
234}
235
236/* packet data = header + MD + payload, update the MD part */
237int update_hs_pkt_hash(uint8_t *pkg_data, int header_len, int pkg_len)
238{
239    uint8_t md[HS_PKT_HASH_LENGTH];
240    uint128 hash;
241    if (pkg_len < header_len + HS_PKT_HASH_LENGTH)
242        return -1;
243
244    hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH,
245                       pkg_len - header_len - HS_PKT_HASH_LENGTH);
246    serialize_fnv128_short(hash, md);
247    memcpy(pkg_data + header_len, md, HS_PKT_HASH_LENGTH);
248    return 0;
249}
250
251int get_hs_pkt_hash_len()
252{
253    return HS_PKT_HASH_LENGTH;
254}
255
256
257void sha256(const uint8_t *buf, int len, uint8_t *h)
258{
259    SHA256_CTX ctx;
260    SHA256_Init(&ctx);
261    SHA256_Update(&ctx, buf, len);
262    SHA256_Final(h, &ctx);
263}
264
265
266/* base on rfc 5869 with sha256, prk is 32 bytes*/
267void lshkdf_extract(const unsigned char *ikm, int ikm_len, const unsigned char *salt,
268                  int salt_len, unsigned char *prk)
269{
270#ifndef NDEBUG
271    unsigned char *out;
272    unsigned int out_len;
273    out =
274#endif
275        HMAC(EVP_sha256(), salt, salt_len, ikm, ikm_len, prk,
276#ifndef NDEBUG
277                                                              &out_len
278#else
279                                                              NULL
280#endif
281                                                                      );
282    assert(out);
283    assert(out_len == 32);
284}
285
286
287#define SHA256LEN   32
288int lshkdf_expand(const unsigned char *prk, const unsigned char *info, int info_len,
289                uint16_t c_key_len, uint8_t *c_key,
290                uint16_t s_key_len, uint8_t *s_key,
291                uint16_t c_key_iv_len, uint8_t *c_key_iv,
292                uint16_t s_key_iv_len, uint8_t *s_key_iv,
293                uint16_t sub_key_len, uint8_t *sub_key)
294{
295    int L = c_key_len + s_key_len + c_key_iv_len + s_key_iv_len + sub_key_len;
296    int N = (L + SHA256LEN - 1) / SHA256LEN;
297    unsigned char *p_org;
298    uint8_t *buf;
299    unsigned char *p;
300    unsigned char T[SHA256LEN + 1];
301    int T_len = 0;
302    int i;
303    uint8_t *pb;
304
305    p_org = malloc(N * SHA256LEN);
306    if (!p_org)
307        return -1;
308
309    buf = malloc(SHA256LEN + info_len + 13);
310    if (!buf)
311    {
312        free(p_org);
313        return -1;
314    }
315
316    p = p_org;
317
318    for (i = 1; i <= N; ++i)
319    {
320        pb = buf;
321        if (T_len > 0)
322        {
323            memcpy(pb, T, T_len);
324            pb += T_len;
325        }
326
327        memcpy(pb, info, info_len);
328        pb += info_len;
329        *pb = i;
330        ++pb;
331
332        HMAC(EVP_sha256(), prk, SHA256LEN, buf, pb - buf, T, NULL);
333        if (i != N)
334            T_len = SHA256LEN;
335        else
336            T_len = L - (N - 1) * SHA256LEN;
337
338        memcpy(p, T, T_len);
339        p += T_len;
340    }
341
342    free(buf);
343
344    p = p_org;
345    if (c_key_len)
346    {
347        memcpy(c_key, p, c_key_len);
348        p += c_key_len;
349    }
350    if (s_key_len)
351    {
352        memcpy(s_key, p, s_key_len);
353        p += s_key_len;
354    }
355    if (c_key_iv_len)
356    {
357        memcpy(c_key_iv, p, c_key_iv_len);
358        p += c_key_iv_len;
359    }
360    if (s_key_iv_len)
361    {
362        memcpy(s_key_iv, p, s_key_iv_len);
363        p += s_key_iv_len;
364    }
365    if (sub_key_len && sub_key)
366    {
367        memcpy(sub_key, p, sub_key_len);
368        p += sub_key_len;
369    }
370
371    free(p_org);
372    return 0;
373}
374
375
376int export_key_material_simple(unsigned char *ikm, uint32_t ikm_len,
377                        unsigned char *salt, int salt_len,
378                        char *label, uint32_t label_len,
379                        const uint8_t *context, uint32_t context_len,
380                        uint8_t *key, uint16_t key_len)
381{
382    unsigned char prk[32];
383    int info_len;
384    uint8_t *info = NULL;
385    info = (uint8_t *)malloc(label_len + 1 + sizeof(uint32_t) + context_len);
386    if (!info)
387        return -1;
388
389    lshkdf_extract(ikm, ikm_len, salt, salt_len, prk);
390    memcpy(info, label, label_len);
391    info[label_len] = 0x00;
392    info_len = label_len + 1;
393    memcpy(info + info_len, &context_len, sizeof(uint32_t));
394    info_len += sizeof(uint32_t);
395    memcpy(info + info_len, context, context_len);
396    info_len += context_len;
397    lshkdf_expand(prk, info, info_len, key_len, key,
398                0, NULL, 0, NULL,0, NULL, 0, NULL);
399    free(info);
400    return 0;
401}
402
403
404int export_key_material(const unsigned char *ikm, uint32_t ikm_len,
405                        const unsigned char *salt, int salt_len,
406                        const unsigned char *context, uint32_t context_len,
407                        uint16_t c_key_len, uint8_t *c_key,
408                        uint16_t s_key_len, uint8_t *s_key,
409                        uint16_t c_key_iv_len, uint8_t *c_key_iv,
410                        uint16_t s_key_iv_len, uint8_t *s_key_iv,
411                        uint8_t *sub_key)
412{
413    unsigned char prk[32];
414    uint16_t sub_key_len = ikm_len;
415
416    lshkdf_extract(ikm, ikm_len, salt, salt_len, prk);
417    lshkdf_expand(prk, context, context_len, c_key_len, c_key,
418                s_key_len, s_key, c_key_iv_len, c_key_iv, s_key_iv_len,
419                s_key_iv, sub_key_len, sub_key);
420    return 0;
421}
422
423void c255_get_pub_key(unsigned char *priv_key, unsigned char pub_key[32])
424{
425    X25519_public_from_private(pub_key, priv_key);
426}
427
428
429int c255_gen_share_key(unsigned char *priv_key, unsigned char *peer_pub_key, unsigned char *shared_key)
430{
431    return X25519(shared_key, priv_key, peer_pub_key);
432}
433
434
435
436/* AEAD nonce is always zero */
437/* return 0 for OK */
438int aes_aead_enc(EVP_AEAD_CTX *key,
439              const uint8_t *ad, size_t ad_len,
440              const uint8_t *nonce, size_t nonce_len,
441              const uint8_t *plain, size_t plain_len,
442              uint8_t *cypher, size_t *cypher_len)
443{
444    int ret = 0;
445    size_t max_out_len;
446    max_out_len = *cypher_len;//plain_len + EVP_AEAD_max_overhead(aead_);
447    assert(*cypher_len >= max_out_len);
448
449    LSQ_DEBUG("***aes_aead_enc data %s", get_bin_str(plain, plain_len, 40));
450    ret = EVP_AEAD_CTX_seal(key, cypher, cypher_len, max_out_len,
451                            nonce, nonce_len, plain, plain_len, ad, ad_len);
452//     LSQ_DEBUG("***aes_aead_enc nonce: %s", get_bin_str(nonce, nonce_len));
453//     LSQ_DEBUG("***aes_aead_enc AD: %s", get_bin_str(ad, ad_len));
454//     LSQ_DEBUG("***aes_aead_enc return %d", (ret ? 0 : -1));
455    if (ret)
456    {
457        LSQ_DEBUG("***aes_aead_enc succeed, cypher content %s",
458                  get_bin_str(cypher, *cypher_len, 40));
459        return 0;
460    }
461    else
462    {
463        LSQ_DEBUG("***aes_aead_enc failed.");
464        return -1;
465    }
466}
467
468
469/* return 0 for OK */
470int aes_aead_dec(EVP_AEAD_CTX *key,
471              const uint8_t *ad, size_t ad_len,
472              const uint8_t *nonce, size_t nonce_len,
473              const uint8_t *cypher, size_t cypher_len,
474              uint8_t *plain, size_t *plain_len)
475{
476    int ret = 0;
477    size_t max_out_len = *plain_len;
478    assert(max_out_len >= cypher_len);
479
480    LSQ_DEBUG("***aes_aead_dec data %s", get_bin_str(cypher, cypher_len, 40));
481
482
483    ret = EVP_AEAD_CTX_open(key, plain, plain_len, max_out_len,
484                            nonce, nonce_len, cypher, cypher_len, ad, ad_len);
485
486//    LSQ_DEBUG("***aes_aead_dec nonce: %s", get_bin_str(nonce, nonce_len));
487//    LSQ_DEBUG("***aes_aead_dec AD: %s", get_bin_str(ad, ad_len));
488//    LSQ_DEBUG("***aes_aead_dec return %d", (ret ? 0 : -1));
489    if (ret)
490    {
491        LSQ_DEBUG("***aes_aead_dec succeed, plain content %s",
492              get_bin_str(plain, *plain_len, 20));
493        return 0;
494    }
495    else
496    {
497        LSQ_DEBUG("***aes_aead_dec failed.");
498        return -1;
499    }
500}
501
502/* aes 128, 16 bytes */
503int aes_get_key_length()
504{
505    return 16;
506}
507
508void gen_nonce_s(char *buf, int length)
509{
510    rand_bytes(buf, length);
511}
512
513/* 32 bytes client nonce with 4 bytes tm, 8 bytes orbit */
514void gen_nonce_c(unsigned char *buf, uint64_t orbit)
515{
516    time_t tm = time(NULL);
517    unsigned char *p = buf;
518    memcpy(p, &tm, 4);
519    p += 4;
520    memcpy(p, &orbit, 8);
521    p += 8;
522    rand_bytes(p, 20);
523    p += 20;
524}
525
526
527EVP_PKEY *PEM_to_key(const char *buf, int len)
528{
529    RSA *rsa = NULL;
530    EVP_PKEY *key = EVP_PKEY_new();
531    BIO *bio = BIO_new_mem_buf(buf, len);
532    if (!bio || !key)
533        return NULL;
534
535    rsa = PEM_read_bio_RSAPrivateKey(bio, &rsa, NULL, NULL);
536    if (!rsa)
537        return NULL;
538
539    EVP_PKEY_assign_RSA(key, rsa);
540    return key;
541}
542
543
544/* type 0 DER, 1: PEM */
545X509 *bio_to_crt(const void *buf, int len, int type)
546{
547    X509 *crt = NULL;
548    BIO *bio = BIO_new_mem_buf(buf, len);
549    if (bio == NULL)
550        return NULL;
551
552    if (type == 0)
553        crt = d2i_X509_bio(bio, NULL);
554    else
555        crt = PEM_read_bio_X509(bio, &crt, 0 , NULL);
556    BIO_free(bio);
557    return crt;
558}
559
560
561int read_rsa_priv_key(const uint8_t *buf, int len, EVP_PKEY *pkey)
562{
563
564    RSA *rsa = RSA_private_key_from_bytes(buf, len);
565    if (!rsa)
566        return -1;
567
568    return EVP_PKEY_assign_RSA(pkey, rsa);
569}
570
571
572int gen_prof(const uint8_t *chlo_data, size_t chlo_data_len,
573             const uint8_t *scfg_data, uint32_t scfg_data_len,
574             const EVP_PKEY *priv_key, uint8_t *buf, size_t *buf_len)
575{
576    uint8_t chlo_hash[32] = {0};
577    size_t chlo_hash_len = 32; /* SHA256 */
578    EVP_MD_CTX sign_context;
579    EVP_PKEY_CTX* pkey_ctx = NULL;
580
581    sha256(chlo_data, chlo_data_len, chlo_hash);
582    EVP_MD_CTX_init(&sign_context);
583    if (!EVP_DigestSignInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)priv_key))
584        return -1;
585
586    EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING);
587    EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1);
588
589    if (!EVP_DigestSignUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) ||
590        !EVP_DigestSignUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) ||
591        !EVP_DigestSignUpdate(&sign_context, chlo_hash, chlo_hash_len) ||
592        !EVP_DigestSignUpdate(&sign_context, scfg_data, scfg_data_len))
593    {
594        return -1;
595    }
596
597    size_t len = 0;
598    if (!EVP_DigestSignFinal(&sign_context, NULL, &len)) {
599        return -1;
600    }
601
602    if (len > *buf_len)
603        return -2;
604    if (buf)
605        EVP_DigestSignFinal(&sign_context, buf, buf_len);
606
607    EVP_MD_CTX_cleanup(&sign_context);
608    return 0;
609}
610
611
612int verify_prof(const uint8_t *chlo_data, size_t chlo_data_len, lsquic_str_t * scfg,
613                const EVP_PKEY *pub_key, const uint8_t *buf, size_t len)
614{
615    return verify_prof0(chlo_data, chlo_data_len,
616                        (const uint8_t *)lsquic_str_buf(scfg),
617                        lsquic_str_len(scfg), pub_key, buf, len);
618}
619
620
621
622
623/* -3 internal error, -1: verify failed, 0: Success */
624int verify_prof0(const uint8_t *chlo_data, size_t chlo_data_len,
625                const uint8_t *scfg_data, uint32_t scfg_data_len,
626                const EVP_PKEY *pub_key, const uint8_t *buf, size_t len)
627{
628    uint8_t chlo_hash[32] = {0};
629    size_t chlo_hash_len = 32; /* SHA256 */
630    EVP_MD_CTX sign_context;
631    EVP_PKEY_CTX* pkey_ctx = NULL;
632    int ret = 0;
633    EVP_MD_CTX_init(&sign_context);
634    sha256(chlo_data, chlo_data_len, chlo_hash);
635
636    // discarding const below to quiet compiler warning on call to ssl library code
637    if (!EVP_DigestVerifyInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)pub_key))
638        return -4;
639
640    EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING);
641    EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1);
642
643
644    if (!EVP_DigestVerifyUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) ||
645        !EVP_DigestVerifyUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) ||
646        !EVP_DigestVerifyUpdate(&sign_context, chlo_hash, chlo_hash_len) ||
647        !EVP_DigestVerifyUpdate(&sign_context, scfg_data, scfg_data_len))
648    {
649        return -3;  /* set to -3, to avoid same as "not enough data" -2 */
650    }
651
652    ret = EVP_DigestVerifyFinal(&sign_context, buf, len);
653    EVP_MD_CTX_cleanup(&sign_context);
654
655    if (ret == 1)
656        return 0; //OK
657    else
658        return -1;  //failed
659}
660
661
662void crypto_init(void)
663{
664    if (crypto_inited)
665        return ;
666
667    //SSL_library_init();
668    CRYPTO_library_init();
669    /* XXX Should we seed? If yes, wherewith? */ // RAND_seed(seed, seed_len);
670
671#if defined( __x86_64 )||defined( __x86_64__ )
672    make_uint128(&s_prime, 16777216, 315);
673    make_uint128(&s_init_hash, 7809847782465536322, 7113472399480571277);
674#endif
675
676    /* MORE .... */
677    crypto_inited = 1;
678}
679
680