lsquic_crypto.c revision 67b0dc15
1/* Copyright (c) 2017 LiteSpeed Technologies Inc.  See LICENSE. */
2#include <assert.h>
3#include <string.h>
4
5#include <openssl/ssl.h>
6#include <openssl/crypto.h>
7#include <openssl/stack.h>
8#include <openssl/x509.h>
9#include <openssl/rand.h>
10#include <openssl/curve25519.h>
11#include <openssl/hmac.h>
12
13#include <zlib.h>
14
15#include "lsquic_types.h"
16#include "lsquic_crypto.h"
17#include "lsquic_alarmset.h"
18#include "lsquic_parse.h"
19#include "lsquic_util.h"
20#include "lsquic_str.h"
21
22#define LSQUIC_LOGGER_MODULE LSQLM_CRYPTO
23#include "lsquic_logger.h"
24
25
26static const char s_hs_signature[] = "QUIC CHLO and server config signature";
27static int crypto_inited = 0;
28
29
30void rand_bytes(void *data, int len)
31{
32    RAND_bytes(data, len);
33}
34
35
36uint64_t fnv1a_64(const uint8_t * data, int len)
37{
38    uint64_t hash = UINT64_C(14695981039346656037);
39    const uint8_t *end = data + len;
40    while(data < end)
41    {
42        hash ^= *data;
43        hash *= UINT64_C(1099511628211);
44        ++data;
45    }
46    return hash;
47}
48
49
50void fnv1a_64_s(const uint8_t * data, int len, char *md)
51{
52    uint64_t hash = fnv1a_64(data, len);
53    memcpy(md, (void *)&hash, 8);
54}
55
56
57#if defined( __x86_64 )||defined( __x86_64__ )
58
59static uint128 s_prime;
60static uint128 s_init_hash;
61
62
63static inline void make_uint128(uint128 *v, uint64_t hi, uint64_t lo)
64{
65    *v = hi;
66    *v <<= 64;
67    *v += lo;
68}
69
70
71void fnv1a_inc(uint128 *hash, const uint8_t *data, int len)
72{
73    const uint8_t* end = data + len;
74    while(data < end)
75    {
76        *hash = (*hash ^ (*data)) * s_prime;
77        ++data;
78    }
79}
80
81uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t *data2, int len2)
82{
83    uint128 hash;
84    memcpy(&hash, &s_init_hash, 16);
85
86    fnv1a_inc(&hash, data1, len1);
87    if (data2)
88        fnv1a_inc(&hash, data2, len2);
89    return hash;
90}
91
92uint128 fnv1a_128_3(const uint8_t *data1, int len1,
93                      const uint8_t *data2, int len2,
94                      const uint8_t *data3, int len3)
95{
96    uint128 hash;
97    memcpy(&hash, &s_init_hash, 16);
98
99    fnv1a_inc(&hash, data1, len1);
100    fnv1a_inc(&hash, data2, len2);
101    fnv1a_inc(&hash, data3, len3);
102    return hash;
103}
104
105void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t  *md)
106{
107    uint128 hash = fnv1a_128_2(data1, len1, data2, len2);
108    memcpy(md, (void *)&hash, 16);
109}
110
111/* HS_PKT_HASH_LENGTH bytes of md */
112void serialize_fnv128_short(uint128 v, uint8_t *md)
113{
114    memcpy(md, (void *)&v, 12);
115}
116
117#else
118uint128  *uint128_times(uint128 *v, const uint128 *factor)
119{
120    uint64_t a96 = v->hi_ >> 32;
121    uint64_t a64 = v->hi_ & 0xffffffffu;
122    uint64_t a32 = v->lo_ >> 32;
123    uint64_t a00 = v->lo_ & 0xffffffffu;
124    uint64_t b96 = factor->hi_ >> 32;
125    uint64_t b64 = factor->hi_ & 0xffffffffu;
126    uint64_t b32 = factor->lo_ >> 32;
127    uint64_t b00 = factor->lo_ & 0xffffffffu;
128    uint64_t tmp, lolo;
129    // multiply [a96 .. a00] x [b96 .. b00]
130    // terms higher than c96 disappear off the high side
131    // terms c96 and c64 are safe to ignore carry bit
132    uint64_t c96 = a96 * b00 + a64 * b32 + a32 * b64 + a00 * b96;
133    uint64_t c64 = a64 * b00 + a32 * b32 + a00 * b64;
134    v->hi_ = (c96 << 32) + c64;
135    v->lo_ = 0;
136
137    tmp = a32 * b00;
138    v->hi_ += tmp >> 32;
139    v->lo_ += tmp << 32;
140
141    tmp = a00 * b32;
142    v->hi_ += tmp >> 32;
143    v->lo_ += tmp << 32;
144
145    tmp = a00 * b00;
146    lolo = v->lo_ + tmp;
147    if (lolo < v->lo_)
148        ++v->hi_;
149    v->lo_ = lolo;
150
151    return v;
152}
153
154void fnv1a_inc(uint128 *hash, const uint8_t * data, int len)
155{
156    static const uint128 kPrime = {16777216, 315};
157    const uint8_t* end = data + len;
158    while(data < end)
159    {
160        hash->lo_ = (hash->lo_ ^ (uint64_t)*data);
161        uint128_times(hash, &kPrime);
162        ++data;
163    }
164}
165
166
167uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t * data2, int len2)
168{
169    uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)};
170    fnv1a_inc(&hash, data1, len1);
171    if (data2)
172        fnv1a_inc(&hash, data2, len2);
173    return hash;
174}
175
176
177uint128 fnv1a_128_3(const uint8_t * data1, int len1,
178                      const uint8_t * data2, int len2,
179                      const uint8_t * data3, int len3)
180{
181    uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)};
182    fnv1a_inc(&hash, data1, len1);
183    fnv1a_inc(&hash, data2, len2);
184    fnv1a_inc(&hash, data3, len3);
185    return hash;
186}
187
188
189void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t  *md)
190{
191    uint128 hash = fnv1a_128_2(data1, len1, data2, len2);
192    memcpy(md, (void *)&hash.lo_, 8);
193    memcpy(md + 8, (void *)&hash.hi_, 8);
194}
195
196/* HS_PKT_HASH_LENGTH bytes of md */
197void serialize_fnv128_short(uint128 v, uint8_t *md)
198{
199    assert(HS_PKT_HASH_LENGTH == 8 + 4);
200    memcpy(md, (void *)&v.lo_, 8);
201    memcpy(md + 8, (void *)&v.hi_, 4);
202}
203
204#endif
205
206uint128 fnv1a_128(const uint8_t * data, int len)
207{
208    return fnv1a_128_2(data, len , NULL, 0);
209}
210
211
212void fnv1a_128_s(const uint8_t * data, int len, uint8_t  *md)
213{
214    return fnv1a_128_2_s(data, len, NULL, 0, md);
215}
216
217
218/* packet data = header + MD + payload */
219/* return 0 if OK */
220int verify_hs_pkt(const uint8_t *pkg_data, size_t header_len, size_t pkg_len)
221{
222    uint8_t md[HS_PKT_HASH_LENGTH];
223    uint128 hash;
224    if (pkg_len < header_len + HS_PKT_HASH_LENGTH)
225        return -1;
226
227    hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH,
228                       pkg_len - header_len - HS_PKT_HASH_LENGTH);
229    serialize_fnv128_short(hash, md);
230    return memcmp(md, pkg_data + header_len, HS_PKT_HASH_LENGTH);
231}
232
233/* packet data = header + MD + payload, update the MD part */
234int update_hs_pkt_hash(uint8_t *pkg_data, int header_len, int pkg_len)
235{
236    uint8_t md[HS_PKT_HASH_LENGTH];
237    uint128 hash;
238    if (pkg_len < header_len + HS_PKT_HASH_LENGTH)
239        return -1;
240
241    hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH,
242                       pkg_len - header_len - HS_PKT_HASH_LENGTH);
243    serialize_fnv128_short(hash, md);
244    memcpy(pkg_data + header_len, md, HS_PKT_HASH_LENGTH);
245    return 0;
246}
247
248int get_hs_pkt_hash_len()
249{
250    return HS_PKT_HASH_LENGTH;
251}
252
253
254void sha256(const uint8_t *buf, int len, uint8_t *h)
255{
256    SHA256_CTX ctx;
257    SHA256_Init(&ctx);
258    SHA256_Update(&ctx, buf, len);
259    SHA256_Final(h, &ctx);
260}
261
262
263/* base on rfc 5869 with sha256, prk is 32 bytes*/
264void lshkdf_extract(const unsigned char *ikm, int ikm_len, const unsigned char *salt,
265                  int salt_len, unsigned char *prk)
266{
267#ifndef NDEBUG
268    unsigned char *out;
269    unsigned int out_len;
270    out =
271#endif
272        HMAC(EVP_sha256(), salt, salt_len, ikm, ikm_len, prk,
273#ifndef NDEBUG
274                                                              &out_len
275#else
276                                                              NULL
277#endif
278                                                                      );
279    assert(out);
280    assert(out_len == 32);
281}
282
283
284int lshkdf_expand(const unsigned char *prk, const unsigned char *info, int info_len,
285                uint16_t c_key_len, uint8_t *c_key,
286                uint16_t s_key_len, uint8_t *s_key,
287                uint16_t c_key_iv_len, uint8_t *c_key_iv,
288                uint16_t s_key_iv_len, uint8_t *s_key_iv,
289                uint16_t sub_key_len, uint8_t *sub_key)
290{
291    const int SHA256LEN = 32;
292    int L = c_key_len + s_key_len + c_key_iv_len + s_key_iv_len + sub_key_len;
293    int N = (L + SHA256LEN - 1) / SHA256LEN;
294    unsigned char *p_org;
295    uint8_t *buf;
296    unsigned char *p;
297    unsigned char T[SHA256LEN + 1];
298    int T_len = 0;
299    int i;
300    uint8_t *pb;
301
302    p_org = malloc(N * SHA256LEN);
303    if (!p_org)
304        return -1;
305
306    buf = malloc(SHA256LEN + info_len + 13);
307    if (!buf)
308    {
309        free(p_org);
310        return -1;
311    }
312
313    p = p_org;
314
315    for (i = 1; i <= N; ++i)
316    {
317        pb = buf;
318        if (T_len > 0)
319        {
320            memcpy(pb, T, T_len);
321            pb += T_len;
322        }
323
324        memcpy(pb, info, info_len);
325        pb += info_len;
326        *pb = i;
327        ++pb;
328
329        HMAC(EVP_sha256(), prk, SHA256LEN, buf, pb - buf, T, NULL);
330        if (i != N)
331            T_len = SHA256LEN;
332        else
333            T_len = L - (N - 1) * SHA256LEN;
334
335        memcpy(p, T, T_len);
336        p += T_len;
337    }
338
339    free(buf);
340
341    p = p_org;
342    if (c_key_len)
343    {
344        memcpy(c_key, p, c_key_len);
345        p += c_key_len;
346    }
347    if (s_key_len)
348    {
349        memcpy(s_key, p, s_key_len);
350        p += s_key_len;
351    }
352    if (c_key_iv_len)
353    {
354        memcpy(c_key_iv, p, c_key_iv_len);
355        p += c_key_iv_len;
356    }
357    if (s_key_iv_len)
358    {
359        memcpy(s_key_iv, p, s_key_iv_len);
360        p += s_key_iv_len;
361    }
362    if (sub_key_len && sub_key)
363    {
364        memcpy(sub_key, p, sub_key_len);
365        p += sub_key_len;
366    }
367
368    free(p_org);
369    return 0;
370}
371
372
373int export_key_material_simple(unsigned char *ikm, uint32_t ikm_len,
374                        unsigned char *salt, int salt_len,
375                        char *label, uint32_t label_len,
376                        const uint8_t *context, uint32_t context_len,
377                        uint8_t *key, uint16_t key_len)
378{
379    unsigned char prk[32];
380    int info_len;
381    uint8_t *info = NULL;
382    info = (uint8_t *)malloc(label_len + 1 + sizeof(uint32_t) + context_len);
383    if (!info)
384        return -1;
385
386    lshkdf_extract(ikm, ikm_len, salt, salt_len, prk);
387    memcpy(info, label, label_len);
388    info[label_len] = 0x00;
389    info_len = label_len + 1;
390    memcpy(info + info_len, &context_len, sizeof(uint32_t));
391    info_len += sizeof(uint32_t);
392    memcpy(info + info_len, context, context_len);
393    info_len += context_len;
394    lshkdf_expand(prk, info, info_len, key_len, key,
395                0, NULL, 0, NULL,0, NULL, 0, NULL);
396    free(info);
397    return 0;
398}
399
400
401int export_key_material(const unsigned char *ikm, uint32_t ikm_len,
402                        const unsigned char *salt, int salt_len,
403                        const unsigned char *context, uint32_t context_len,
404                        uint16_t c_key_len, uint8_t *c_key,
405                        uint16_t s_key_len, uint8_t *s_key,
406                        uint16_t c_key_iv_len, uint8_t *c_key_iv,
407                        uint16_t s_key_iv_len, uint8_t *s_key_iv,
408                        uint8_t *sub_key)
409{
410    unsigned char prk[32];
411    uint16_t sub_key_len = ikm_len;
412
413    lshkdf_extract(ikm, ikm_len, salt, salt_len, prk);
414    lshkdf_expand(prk, context, context_len, c_key_len, c_key,
415                s_key_len, s_key, c_key_iv_len, c_key_iv, s_key_iv_len,
416                s_key_iv, sub_key_len, sub_key);
417    return 0;
418}
419
420void c255_get_pub_key(unsigned char *priv_key, unsigned char pub_key[32])
421{
422    X25519_public_from_private(pub_key, priv_key);
423}
424
425
426int c255_gen_share_key(unsigned char *priv_key, unsigned char *peer_pub_key, unsigned char *shared_key)
427{
428    return X25519(shared_key, priv_key, peer_pub_key);
429}
430
431
432
433/* AEAD nonce is always zero */
434/* return 0 for OK */
435int aes_aead_enc(EVP_AEAD_CTX *key,
436              const uint8_t *ad, size_t ad_len,
437              const uint8_t *nonce, size_t nonce_len,
438              const uint8_t *plain, size_t plain_len,
439              uint8_t *cypher, size_t *cypher_len)
440{
441    int ret = 0;
442    size_t max_out_len;
443    max_out_len = *cypher_len;//plain_len + EVP_AEAD_max_overhead(aead_);
444    assert(*cypher_len >= max_out_len);
445
446    LSQ_DEBUG("***aes_aead_enc data %s", get_bin_str(plain, plain_len, 40));
447    ret = EVP_AEAD_CTX_seal(key, cypher, cypher_len, max_out_len,
448                            nonce, nonce_len, plain, plain_len, ad, ad_len);
449//     LSQ_DEBUG("***aes_aead_enc nonce: %s", get_bin_str(nonce, nonce_len));
450//     LSQ_DEBUG("***aes_aead_enc AD: %s", get_bin_str(ad, ad_len));
451//     LSQ_DEBUG("***aes_aead_enc return %d", (ret ? 0 : -1));
452    if (ret)
453    {
454        LSQ_DEBUG("***aes_aead_enc succeed, cypher content %s",
455                  get_bin_str(cypher, *cypher_len, 40));
456        return 0;
457    }
458    else
459    {
460        LSQ_DEBUG("***aes_aead_enc failed.");
461        return -1;
462    }
463}
464
465
466/* return 0 for OK */
467int aes_aead_dec(EVP_AEAD_CTX *key,
468              const uint8_t *ad, size_t ad_len,
469              const uint8_t *nonce, size_t nonce_len,
470              const uint8_t *cypher, size_t cypher_len,
471              uint8_t *plain, size_t *plain_len)
472{
473    int ret = 0;
474    size_t max_out_len = *plain_len;
475    assert(max_out_len >= cypher_len);
476
477    LSQ_DEBUG("***aes_aead_dec data %s", get_bin_str(cypher, cypher_len, 40));
478
479
480    ret = EVP_AEAD_CTX_open(key, plain, plain_len, max_out_len,
481                            nonce, nonce_len, cypher, cypher_len, ad, ad_len);
482
483//    LSQ_DEBUG("***aes_aead_dec nonce: %s", get_bin_str(nonce, nonce_len));
484//    LSQ_DEBUG("***aes_aead_dec AD: %s", get_bin_str(ad, ad_len));
485//    LSQ_DEBUG("***aes_aead_dec return %d", (ret ? 0 : -1));
486    if (ret)
487    {
488        LSQ_DEBUG("***aes_aead_dec succeed, plain content %s",
489              get_bin_str(plain, *plain_len, 20));
490        return 0;
491    }
492    else
493    {
494        LSQ_DEBUG("***aes_aead_dec failed.");
495        return -1;
496    }
497}
498
499/* aes 128, 16 bytes */
500int aes_get_key_length()
501{
502    return 16;
503}
504
505void gen_nonce_s(char *buf, int length)
506{
507    rand_bytes(buf, length);
508}
509
510/* 32 bytes client nonce with 4 bytes tm, 8 bytes orbit */
511void gen_nonce_c(unsigned char *buf, uint64_t orbit)
512{
513    time_t tm = time(NULL);
514    unsigned char *p = buf;
515    memcpy(p, &tm, 4);
516    p += 4;
517    memcpy(p, &orbit, 8);
518    p += 8;
519    rand_bytes(p, 20);
520    p += 20;
521}
522
523
524EVP_PKEY *PEM_to_key(const char *buf, int len)
525{
526    RSA *rsa = NULL;
527    EVP_PKEY *key = EVP_PKEY_new();
528    BIO *bio = BIO_new_mem_buf(buf, len);
529    if (!bio || !key)
530        return NULL;
531
532    rsa = PEM_read_bio_RSAPrivateKey(bio, &rsa, NULL, NULL);
533    if (!rsa)
534        return NULL;
535
536    EVP_PKEY_assign_RSA(key, rsa);
537    return key;
538}
539
540
541/* type 0 DER, 1: PEM */
542X509 *bio_to_crt(const void *buf, int len, int type)
543{
544    X509 *crt = NULL;
545    BIO *bio = BIO_new_mem_buf(buf, len);
546    if (bio == NULL)
547        return NULL;
548
549    if (type == 0)
550        crt = d2i_X509_bio(bio, NULL);
551    else
552        crt = PEM_read_bio_X509(bio, &crt, 0 , NULL);
553    BIO_free(bio);
554    return crt;
555}
556
557
558int read_rsa_priv_key(const uint8_t *buf, int len, EVP_PKEY *pkey)
559{
560
561    RSA *rsa = RSA_private_key_from_bytes(buf, len);
562    if (!rsa)
563        return -1;
564
565    return EVP_PKEY_assign_RSA(pkey, rsa);
566}
567
568
569int gen_prof(const uint8_t *chlo_data, size_t chlo_data_len,
570             const uint8_t *scfg_data, uint32_t scfg_data_len,
571             const EVP_PKEY *priv_key, uint8_t *buf, size_t *buf_len)
572{
573    uint8_t chlo_hash[32] = {0};
574    size_t chlo_hash_len = 32; /* SHA256 */
575    EVP_MD_CTX sign_context;
576    EVP_PKEY_CTX* pkey_ctx = NULL;
577
578    sha256(chlo_data, chlo_data_len, chlo_hash);
579    EVP_MD_CTX_init(&sign_context);
580    if (!EVP_DigestSignInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)priv_key))
581        return -1;
582
583    EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING);
584    EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1);
585
586    if (!EVP_DigestSignUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) ||
587        !EVP_DigestSignUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) ||
588        !EVP_DigestSignUpdate(&sign_context, chlo_hash, chlo_hash_len) ||
589        !EVP_DigestSignUpdate(&sign_context, scfg_data, scfg_data_len))
590    {
591        return -1;
592    }
593
594    size_t len = 0;
595    if (!EVP_DigestSignFinal(&sign_context, NULL, &len)) {
596        return -1;
597    }
598
599    if (len > *buf_len)
600        return -2;
601    if (buf)
602        EVP_DigestSignFinal(&sign_context, buf, buf_len);
603
604    EVP_MD_CTX_cleanup(&sign_context);
605    return 0;
606}
607
608
609int verify_cert(const char *buf, int len)
610{
611    //X509_verify_cert();
612
613    return 0;
614}
615
616
617int verify_prof(const uint8_t *chlo_data, size_t chlo_data_len, lsquic_str_t * scfg,
618                const EVP_PKEY *pub_key, const uint8_t *buf, size_t len)
619{
620    return verify_prof0(chlo_data, chlo_data_len,
621                        (const uint8_t *)lsquic_str_buf(scfg),
622                        lsquic_str_len(scfg), pub_key, buf, len);
623}
624
625
626
627
628/* -3 internal error, -1: verify failed, 0: Success */
629int verify_prof0(const uint8_t *chlo_data, size_t chlo_data_len,
630                const uint8_t *scfg_data, uint32_t scfg_data_len,
631                const EVP_PKEY *pub_key, const uint8_t *buf, size_t len)
632{
633    uint8_t chlo_hash[32] = {0};
634    size_t chlo_hash_len = 32; /* SHA256 */
635    EVP_MD_CTX sign_context;
636    EVP_PKEY_CTX* pkey_ctx = NULL;
637    int ret = 0;
638    EVP_MD_CTX_init(&sign_context);
639    sha256(chlo_data, chlo_data_len, chlo_hash);
640
641    // discarding const below to quiet compiler warning on call to ssl library code
642    if (!EVP_DigestVerifyInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)pub_key))
643        return -4;
644
645    EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING);
646    EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1);
647
648
649    if (!EVP_DigestVerifyUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) ||
650        !EVP_DigestVerifyUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) ||
651        !EVP_DigestVerifyUpdate(&sign_context, chlo_hash, chlo_hash_len) ||
652        !EVP_DigestVerifyUpdate(&sign_context, scfg_data, scfg_data_len))
653    {
654        return -3;  /* set to -3, to avoid same as "not enough data" -2 */
655    }
656
657    ret = EVP_DigestVerifyFinal(&sign_context, buf, len);
658    EVP_MD_CTX_cleanup(&sign_context);
659
660    if (ret == 1)
661        return 0; //OK
662    else
663        return -1;  //failed
664}
665
666
667void crypto_init(void)
668{
669    if (crypto_inited)
670        return ;
671
672    //SSL_library_init();
673    CRYPTO_library_init();
674    /* XXX Should we seed? If yes, wherewith? */ // RAND_seed(seed, seed_len);
675
676#if defined( __x86_64 )||defined( __x86_64__ )
677    make_uint128(&s_prime, 16777216, 315);
678    make_uint128(&s_init_hash, 7809847782465536322, 7113472399480571277);
679#endif
680
681    /* MORE .... */
682    crypto_inited = 1;
683}
684
685