lsquic_crypto.c revision 461e84d8
1/* Copyright (c) 2017 LiteSpeed Technologies Inc. See LICENSE. */ 2#include <assert.h> 3#include <string.h> 4 5#include <openssl/ssl.h> 6#include <openssl/crypto.h> 7#include <openssl/stack.h> 8#include <openssl/x509.h> 9#include <openssl/rand.h> 10#include <openssl/curve25519.h> 11#include <openssl/hmac.h> 12 13#include <zlib.h> 14#ifdef WIN32 15#include <vc_compat.h> 16#endif 17 18#include "lsquic_types.h" 19#include "lsquic_crypto.h" 20#include "lsquic_alarmset.h" 21#include "lsquic_parse.h" 22#include "lsquic_util.h" 23#include "lsquic_str.h" 24 25#define LSQUIC_LOGGER_MODULE LSQLM_CRYPTO 26#include "lsquic_logger.h" 27 28 29static const char s_hs_signature[] = "QUIC CHLO and server config signature"; 30static int crypto_inited = 0; 31 32 33void rand_bytes(void *data, int len) 34{ 35 RAND_bytes(data, len); 36} 37 38 39uint64_t fnv1a_64(const uint8_t * data, int len) 40{ 41 uint64_t hash = UINT64_C(14695981039346656037); 42 const uint8_t *end = data + len; 43 while(data < end) 44 { 45 hash ^= *data; 46 hash *= UINT64_C(1099511628211); 47 ++data; 48 } 49 return hash; 50} 51 52 53void fnv1a_64_s(const uint8_t * data, int len, char *md) 54{ 55 uint64_t hash = fnv1a_64(data, len); 56 memcpy(md, (void *)&hash, 8); 57} 58 59 60#if defined( __x86_64 )||defined( __x86_64__ ) 61 62static uint128 s_prime; 63static uint128 s_init_hash; 64 65 66static inline void make_uint128(uint128 *v, uint64_t hi, uint64_t lo) 67{ 68 *v = hi; 69 *v <<= 64; 70 *v += lo; 71} 72 73 74void fnv1a_inc(uint128 *hash, const uint8_t *data, int len) 75{ 76 const uint8_t* end = data + len; 77 while(data < end) 78 { 79 *hash = (*hash ^ (*data)) * s_prime; 80 ++data; 81 } 82} 83 84uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t *data2, int len2) 85{ 86 uint128 hash; 87 memcpy(&hash, &s_init_hash, 16); 88 89 fnv1a_inc(&hash, data1, len1); 90 if (data2) 91 fnv1a_inc(&hash, data2, len2); 92 return hash; 93} 94 95uint128 fnv1a_128_3(const uint8_t *data1, int len1, 96 const uint8_t *data2, int len2, 97 const uint8_t *data3, int len3) 98{ 99 uint128 hash; 100 memcpy(&hash, &s_init_hash, 16); 101 102 fnv1a_inc(&hash, data1, len1); 103 fnv1a_inc(&hash, data2, len2); 104 fnv1a_inc(&hash, data3, len3); 105 return hash; 106} 107 108void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t *md) 109{ 110 uint128 hash = fnv1a_128_2(data1, len1, data2, len2); 111 memcpy(md, (void *)&hash, 16); 112} 113 114/* HS_PKT_HASH_LENGTH bytes of md */ 115void serialize_fnv128_short(uint128 v, uint8_t *md) 116{ 117 memcpy(md, (void *)&v, 12); 118} 119 120#else 121uint128 *uint128_times(uint128 *v, const uint128 *factor) 122{ 123 uint64_t a96 = v->hi_ >> 32; 124 uint64_t a64 = v->hi_ & 0xffffffffu; 125 uint64_t a32 = v->lo_ >> 32; 126 uint64_t a00 = v->lo_ & 0xffffffffu; 127 uint64_t b96 = factor->hi_ >> 32; 128 uint64_t b64 = factor->hi_ & 0xffffffffu; 129 uint64_t b32 = factor->lo_ >> 32; 130 uint64_t b00 = factor->lo_ & 0xffffffffu; 131 uint64_t tmp, lolo; 132 // multiply [a96 .. a00] x [b96 .. b00] 133 // terms higher than c96 disappear off the high side 134 // terms c96 and c64 are safe to ignore carry bit 135 uint64_t c96 = a96 * b00 + a64 * b32 + a32 * b64 + a00 * b96; 136 uint64_t c64 = a64 * b00 + a32 * b32 + a00 * b64; 137 v->hi_ = (c96 << 32) + c64; 138 v->lo_ = 0; 139 140 tmp = a32 * b00; 141 v->hi_ += tmp >> 32; 142 v->lo_ += tmp << 32; 143 144 tmp = a00 * b32; 145 v->hi_ += tmp >> 32; 146 v->lo_ += tmp << 32; 147 148 tmp = a00 * b00; 149 lolo = v->lo_ + tmp; 150 if (lolo < v->lo_) 151 ++v->hi_; 152 v->lo_ = lolo; 153 154 return v; 155} 156 157void fnv1a_inc(uint128 *hash, const uint8_t * data, int len) 158{ 159 static const uint128 kPrime = {16777216, 315}; 160 const uint8_t* end = data + len; 161 while(data < end) 162 { 163 hash->lo_ = (hash->lo_ ^ (uint64_t)*data); 164 uint128_times(hash, &kPrime); 165 ++data; 166 } 167} 168 169 170uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t * data2, int len2) 171{ 172 uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)}; 173 fnv1a_inc(&hash, data1, len1); 174 if (data2) 175 fnv1a_inc(&hash, data2, len2); 176 return hash; 177} 178 179 180uint128 fnv1a_128_3(const uint8_t * data1, int len1, 181 const uint8_t * data2, int len2, 182 const uint8_t * data3, int len3) 183{ 184 uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)}; 185 fnv1a_inc(&hash, data1, len1); 186 fnv1a_inc(&hash, data2, len2); 187 fnv1a_inc(&hash, data3, len3); 188 return hash; 189} 190 191 192void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t *md) 193{ 194 uint128 hash = fnv1a_128_2(data1, len1, data2, len2); 195 memcpy(md, (void *)&hash.lo_, 8); 196 memcpy(md + 8, (void *)&hash.hi_, 8); 197} 198 199/* HS_PKT_HASH_LENGTH bytes of md */ 200void serialize_fnv128_short(uint128 v, uint8_t *md) 201{ 202 assert(HS_PKT_HASH_LENGTH == 8 + 4); 203 memcpy(md, (void *)&v.lo_, 8); 204 memcpy(md + 8, (void *)&v.hi_, 4); 205} 206 207#endif 208 209uint128 fnv1a_128(const uint8_t * data, int len) 210{ 211 return fnv1a_128_2(data, len , NULL, 0); 212} 213 214 215void fnv1a_128_s(const uint8_t * data, int len, uint8_t *md) 216{ 217 fnv1a_128_2_s(data, len, NULL, 0, md); 218} 219 220 221/* packet data = header + MD + payload */ 222/* return 0 if OK */ 223int verify_hs_pkt(const uint8_t *pkg_data, size_t header_len, size_t pkg_len) 224{ 225 uint8_t md[HS_PKT_HASH_LENGTH]; 226 uint128 hash; 227 if (pkg_len < header_len + HS_PKT_HASH_LENGTH) 228 return -1; 229 230 hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH, 231 pkg_len - header_len - HS_PKT_HASH_LENGTH); 232 serialize_fnv128_short(hash, md); 233 return memcmp(md, pkg_data + header_len, HS_PKT_HASH_LENGTH); 234} 235 236/* packet data = header + MD + payload, update the MD part */ 237int update_hs_pkt_hash(uint8_t *pkg_data, int header_len, int pkg_len) 238{ 239 uint8_t md[HS_PKT_HASH_LENGTH]; 240 uint128 hash; 241 if (pkg_len < header_len + HS_PKT_HASH_LENGTH) 242 return -1; 243 244 hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH, 245 pkg_len - header_len - HS_PKT_HASH_LENGTH); 246 serialize_fnv128_short(hash, md); 247 memcpy(pkg_data + header_len, md, HS_PKT_HASH_LENGTH); 248 return 0; 249} 250 251int get_hs_pkt_hash_len() 252{ 253 return HS_PKT_HASH_LENGTH; 254} 255 256 257void sha256(const uint8_t *buf, int len, uint8_t *h) 258{ 259 SHA256_CTX ctx; 260 SHA256_Init(&ctx); 261 SHA256_Update(&ctx, buf, len); 262 SHA256_Final(h, &ctx); 263} 264 265 266/* base on rfc 5869 with sha256, prk is 32 bytes*/ 267void lshkdf_extract(const unsigned char *ikm, int ikm_len, const unsigned char *salt, 268 int salt_len, unsigned char *prk) 269{ 270#ifndef NDEBUG 271 unsigned char *out; 272 unsigned int out_len; 273 out = 274#endif 275 HMAC(EVP_sha256(), salt, salt_len, ikm, ikm_len, prk, 276#ifndef NDEBUG 277 &out_len 278#else 279 NULL 280#endif 281 ); 282 assert(out); 283 assert(out_len == 32); 284} 285 286 287#define SHA256LEN 32 288int lshkdf_expand(const unsigned char *prk, const unsigned char *info, int info_len, 289 uint16_t c_key_len, uint8_t *c_key, 290 uint16_t s_key_len, uint8_t *s_key, 291 uint16_t c_key_iv_len, uint8_t *c_key_iv, 292 uint16_t s_key_iv_len, uint8_t *s_key_iv, 293 uint16_t sub_key_len, uint8_t *sub_key) 294{ 295 int L = c_key_len + s_key_len + c_key_iv_len + s_key_iv_len + sub_key_len; 296 int N = (L + SHA256LEN - 1) / SHA256LEN; 297 unsigned char *p_org; 298 uint8_t *buf; 299 unsigned char *p; 300 unsigned char T[SHA256LEN + 1]; 301 int T_len = 0; 302 int i; 303 uint8_t *pb; 304 305 p_org = malloc(N * SHA256LEN); 306 if (!p_org) 307 return -1; 308 309 buf = malloc(SHA256LEN + info_len + 13); 310 if (!buf) 311 { 312 free(p_org); 313 return -1; 314 } 315 316 p = p_org; 317 318 for (i = 1; i <= N; ++i) 319 { 320 pb = buf; 321 if (T_len > 0) 322 { 323 memcpy(pb, T, T_len); 324 pb += T_len; 325 } 326 327 memcpy(pb, info, info_len); 328 pb += info_len; 329 *pb = i; 330 ++pb; 331 332 HMAC(EVP_sha256(), prk, SHA256LEN, buf, pb - buf, T, NULL); 333 if (i != N) 334 T_len = SHA256LEN; 335 else 336 T_len = L - (N - 1) * SHA256LEN; 337 338 memcpy(p, T, T_len); 339 p += T_len; 340 } 341 342 free(buf); 343 344 p = p_org; 345 if (c_key_len) 346 { 347 memcpy(c_key, p, c_key_len); 348 p += c_key_len; 349 } 350 if (s_key_len) 351 { 352 memcpy(s_key, p, s_key_len); 353 p += s_key_len; 354 } 355 if (c_key_iv_len) 356 { 357 memcpy(c_key_iv, p, c_key_iv_len); 358 p += c_key_iv_len; 359 } 360 if (s_key_iv_len) 361 { 362 memcpy(s_key_iv, p, s_key_iv_len); 363 p += s_key_iv_len; 364 } 365 if (sub_key_len && sub_key) 366 { 367 memcpy(sub_key, p, sub_key_len); 368 p += sub_key_len; 369 } 370 371 free(p_org); 372 return 0; 373} 374 375 376int export_key_material_simple(unsigned char *ikm, uint32_t ikm_len, 377 unsigned char *salt, int salt_len, 378 char *label, uint32_t label_len, 379 const uint8_t *context, uint32_t context_len, 380 uint8_t *key, uint16_t key_len) 381{ 382 unsigned char prk[32]; 383 int info_len; 384 uint8_t *info = NULL; 385 info = (uint8_t *)malloc(label_len + 1 + sizeof(uint32_t) + context_len); 386 if (!info) 387 return -1; 388 389 lshkdf_extract(ikm, ikm_len, salt, salt_len, prk); 390 memcpy(info, label, label_len); 391 info[label_len] = 0x00; 392 info_len = label_len + 1; 393 memcpy(info + info_len, &context_len, sizeof(uint32_t)); 394 info_len += sizeof(uint32_t); 395 memcpy(info + info_len, context, context_len); 396 info_len += context_len; 397 lshkdf_expand(prk, info, info_len, key_len, key, 398 0, NULL, 0, NULL,0, NULL, 0, NULL); 399 free(info); 400 return 0; 401} 402 403 404int export_key_material(const unsigned char *ikm, uint32_t ikm_len, 405 const unsigned char *salt, int salt_len, 406 const unsigned char *context, uint32_t context_len, 407 uint16_t c_key_len, uint8_t *c_key, 408 uint16_t s_key_len, uint8_t *s_key, 409 uint16_t c_key_iv_len, uint8_t *c_key_iv, 410 uint16_t s_key_iv_len, uint8_t *s_key_iv, 411 uint8_t *sub_key) 412{ 413 unsigned char prk[32]; 414 uint16_t sub_key_len = ikm_len; 415 416 lshkdf_extract(ikm, ikm_len, salt, salt_len, prk); 417 lshkdf_expand(prk, context, context_len, c_key_len, c_key, 418 s_key_len, s_key, c_key_iv_len, c_key_iv, s_key_iv_len, 419 s_key_iv, sub_key_len, sub_key); 420 return 0; 421} 422 423void c255_get_pub_key(unsigned char *priv_key, unsigned char pub_key[32]) 424{ 425 X25519_public_from_private(pub_key, priv_key); 426} 427 428 429int c255_gen_share_key(unsigned char *priv_key, unsigned char *peer_pub_key, unsigned char *shared_key) 430{ 431 return X25519(shared_key, priv_key, peer_pub_key); 432} 433 434 435 436/* AEAD nonce is always zero */ 437/* return 0 for OK */ 438int aes_aead_enc(EVP_AEAD_CTX *key, 439 const uint8_t *ad, size_t ad_len, 440 const uint8_t *nonce, size_t nonce_len, 441 const uint8_t *plain, size_t plain_len, 442 uint8_t *cypher, size_t *cypher_len) 443{ 444 int ret = 0; 445 size_t max_out_len; 446 max_out_len = *cypher_len;//plain_len + EVP_AEAD_max_overhead(aead_); 447 assert(*cypher_len >= max_out_len); 448 449 LSQ_DEBUG("***aes_aead_enc data %s", get_bin_str(plain, plain_len, 40)); 450 ret = EVP_AEAD_CTX_seal(key, cypher, cypher_len, max_out_len, 451 nonce, nonce_len, plain, plain_len, ad, ad_len); 452// LSQ_DEBUG("***aes_aead_enc nonce: %s", get_bin_str(nonce, nonce_len)); 453// LSQ_DEBUG("***aes_aead_enc AD: %s", get_bin_str(ad, ad_len)); 454// LSQ_DEBUG("***aes_aead_enc return %d", (ret ? 0 : -1)); 455 if (ret) 456 { 457 LSQ_DEBUG("***aes_aead_enc succeed, cypher content %s", 458 get_bin_str(cypher, *cypher_len, 40)); 459 return 0; 460 } 461 else 462 { 463 LSQ_DEBUG("***aes_aead_enc failed."); 464 return -1; 465 } 466} 467 468 469/* return 0 for OK */ 470int aes_aead_dec(EVP_AEAD_CTX *key, 471 const uint8_t *ad, size_t ad_len, 472 const uint8_t *nonce, size_t nonce_len, 473 const uint8_t *cypher, size_t cypher_len, 474 uint8_t *plain, size_t *plain_len) 475{ 476 int ret = 0; 477 size_t max_out_len = *plain_len; 478 assert(max_out_len >= cypher_len); 479 480 LSQ_DEBUG("***aes_aead_dec data %s", get_bin_str(cypher, cypher_len, 40)); 481 482 483 ret = EVP_AEAD_CTX_open(key, plain, plain_len, max_out_len, 484 nonce, nonce_len, cypher, cypher_len, ad, ad_len); 485 486// LSQ_DEBUG("***aes_aead_dec nonce: %s", get_bin_str(nonce, nonce_len)); 487// LSQ_DEBUG("***aes_aead_dec AD: %s", get_bin_str(ad, ad_len)); 488// LSQ_DEBUG("***aes_aead_dec return %d", (ret ? 0 : -1)); 489 if (ret) 490 { 491 LSQ_DEBUG("***aes_aead_dec succeed, plain content %s", 492 get_bin_str(plain, *plain_len, 20)); 493 return 0; 494 } 495 else 496 { 497 LSQ_DEBUG("***aes_aead_dec failed."); 498 return -1; 499 } 500} 501 502/* aes 128, 16 bytes */ 503int aes_get_key_length() 504{ 505 return 16; 506} 507 508void gen_nonce_s(char *buf, int length) 509{ 510 rand_bytes(buf, length); 511} 512 513/* 32 bytes client nonce with 4 bytes tm, 8 bytes orbit */ 514void gen_nonce_c(unsigned char *buf, uint64_t orbit) 515{ 516 time_t tm = time(NULL); 517 unsigned char *p = buf; 518 memcpy(p, &tm, 4); 519 p += 4; 520 memcpy(p, &orbit, 8); 521 p += 8; 522 rand_bytes(p, 20); 523 p += 20; 524} 525 526 527EVP_PKEY *PEM_to_key(const char *buf, int len) 528{ 529 RSA *rsa = NULL; 530 EVP_PKEY *key = EVP_PKEY_new(); 531 BIO *bio = BIO_new_mem_buf(buf, len); 532 if (!bio || !key) 533 return NULL; 534 535 rsa = PEM_read_bio_RSAPrivateKey(bio, &rsa, NULL, NULL); 536 if (!rsa) 537 return NULL; 538 539 EVP_PKEY_assign_RSA(key, rsa); 540 return key; 541} 542 543 544/* type 0 DER, 1: PEM */ 545X509 *bio_to_crt(const void *buf, int len, int type) 546{ 547 X509 *crt = NULL; 548 BIO *bio = BIO_new_mem_buf(buf, len); 549 if (bio == NULL) 550 return NULL; 551 552 if (type == 0) 553 crt = d2i_X509_bio(bio, NULL); 554 else 555 crt = PEM_read_bio_X509(bio, &crt, 0 , NULL); 556 BIO_free(bio); 557 return crt; 558} 559 560 561int read_rsa_priv_key(const uint8_t *buf, int len, EVP_PKEY *pkey) 562{ 563 564 RSA *rsa = RSA_private_key_from_bytes(buf, len); 565 if (!rsa) 566 return -1; 567 568 return EVP_PKEY_assign_RSA(pkey, rsa); 569} 570 571 572int gen_prof(const uint8_t *chlo_data, size_t chlo_data_len, 573 const uint8_t *scfg_data, uint32_t scfg_data_len, 574 const EVP_PKEY *priv_key, uint8_t *buf, size_t *buf_len) 575{ 576 uint8_t chlo_hash[32] = {0}; 577 size_t chlo_hash_len = 32; /* SHA256 */ 578 EVP_MD_CTX sign_context; 579 EVP_PKEY_CTX* pkey_ctx = NULL; 580 581 sha256(chlo_data, chlo_data_len, chlo_hash); 582 EVP_MD_CTX_init(&sign_context); 583 if (!EVP_DigestSignInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)priv_key)) 584 return -1; 585 586 EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING); 587 EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1); 588 589 if (!EVP_DigestSignUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) || 590 !EVP_DigestSignUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) || 591 !EVP_DigestSignUpdate(&sign_context, chlo_hash, chlo_hash_len) || 592 !EVP_DigestSignUpdate(&sign_context, scfg_data, scfg_data_len)) 593 { 594 return -1; 595 } 596 597 size_t len = 0; 598 if (!EVP_DigestSignFinal(&sign_context, NULL, &len)) { 599 return -1; 600 } 601 602 if (len > *buf_len) 603 return -2; 604 if (buf) 605 EVP_DigestSignFinal(&sign_context, buf, buf_len); 606 607 EVP_MD_CTX_cleanup(&sign_context); 608 return 0; 609} 610 611 612int verify_cert(const char *buf, int len) 613{ 614 //X509_verify_cert(); 615 616 return 0; 617} 618 619 620int verify_prof(const uint8_t *chlo_data, size_t chlo_data_len, lsquic_str_t * scfg, 621 const EVP_PKEY *pub_key, const uint8_t *buf, size_t len) 622{ 623 return verify_prof0(chlo_data, chlo_data_len, 624 (const uint8_t *)lsquic_str_buf(scfg), 625 lsquic_str_len(scfg), pub_key, buf, len); 626} 627 628 629 630 631/* -3 internal error, -1: verify failed, 0: Success */ 632int verify_prof0(const uint8_t *chlo_data, size_t chlo_data_len, 633 const uint8_t *scfg_data, uint32_t scfg_data_len, 634 const EVP_PKEY *pub_key, const uint8_t *buf, size_t len) 635{ 636 uint8_t chlo_hash[32] = {0}; 637 size_t chlo_hash_len = 32; /* SHA256 */ 638 EVP_MD_CTX sign_context; 639 EVP_PKEY_CTX* pkey_ctx = NULL; 640 int ret = 0; 641 EVP_MD_CTX_init(&sign_context); 642 sha256(chlo_data, chlo_data_len, chlo_hash); 643 644 // discarding const below to quiet compiler warning on call to ssl library code 645 if (!EVP_DigestVerifyInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)pub_key)) 646 return -4; 647 648 EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING); 649 EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1); 650 651 652 if (!EVP_DigestVerifyUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) || 653 !EVP_DigestVerifyUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) || 654 !EVP_DigestVerifyUpdate(&sign_context, chlo_hash, chlo_hash_len) || 655 !EVP_DigestVerifyUpdate(&sign_context, scfg_data, scfg_data_len)) 656 { 657 return -3; /* set to -3, to avoid same as "not enough data" -2 */ 658 } 659 660 ret = EVP_DigestVerifyFinal(&sign_context, buf, len); 661 EVP_MD_CTX_cleanup(&sign_context); 662 663 if (ret == 1) 664 return 0; //OK 665 else 666 return -1; //failed 667} 668 669 670void crypto_init(void) 671{ 672 if (crypto_inited) 673 return ; 674 675 //SSL_library_init(); 676 CRYPTO_library_init(); 677 /* XXX Should we seed? If yes, wherewith? */ // RAND_seed(seed, seed_len); 678 679#if defined( __x86_64 )||defined( __x86_64__ ) 680 make_uint128(&s_prime, 16777216, 315); 681 make_uint128(&s_init_hash, 7809847782465536322, 7113472399480571277); 682#endif 683 684 /* MORE .... */ 685 crypto_inited = 1; 686} 687 688