lsquic_crypto.c revision 7a8b2ece
1/* Copyright (c) 2017 - 2019 LiteSpeed Technologies Inc.  See LICENSE. */
2#include <assert.h>
3#include <string.h>
4
5#include <openssl/ssl.h>
6#include <openssl/crypto.h>
7#include <openssl/stack.h>
8#include <openssl/x509.h>
9#include <openssl/rand.h>
10#include <openssl/curve25519.h>
11#include <openssl/hkdf.h>
12#include <openssl/hmac.h>
13
14#include <zlib.h>
15#ifdef WIN32
16#include <vc_compat.h>
17#endif
18
19#include "lsquic_types.h"
20#include "lsquic_crypto.h"
21#include "lsquic_parse.h"
22#include "lsquic_util.h"
23#include "lsquic_str.h"
24
25#define LSQUIC_LOGGER_MODULE LSQLM_CRYPTO
26#include "lsquic_logger.h"
27
28
29static const char s_hs_signature[] = "QUIC CHLO and server config signature";
30static int crypto_inited = 0;
31
32
33void rand_bytes(void *data, int len)
34{
35    RAND_bytes(data, len);
36}
37
38
39uint64_t fnv1a_64(const uint8_t * data, int len)
40{
41    uint64_t hash = UINT64_C(14695981039346656037);
42    const uint8_t *end = data + len;
43    while(data < end)
44    {
45        hash ^= *data;
46        hash *= UINT64_C(1099511628211);
47        ++data;
48    }
49    return hash;
50}
51
52
53void fnv1a_64_s(const uint8_t * data, int len, char *md)
54{
55    uint64_t hash = fnv1a_64(data, len);
56    memcpy(md, (void *)&hash, 8);
57}
58
59
60#if defined( __x86_64 )||defined( __x86_64__ )
61
62static uint128 s_prime;
63static uint128 s_init_hash;
64
65
66static inline void make_uint128(uint128 *v, uint64_t hi, uint64_t lo)
67{
68    *v = hi;
69    *v <<= 64;
70    *v += lo;
71}
72
73
74void fnv1a_inc(uint128 *hash, const uint8_t *data, int len)
75{
76    const uint8_t* end = data + len;
77    while(data < end)
78    {
79        *hash = (*hash ^ (*data)) * s_prime;
80        ++data;
81    }
82}
83
84uint128 fnv1a_128_3(const uint8_t *data1, int len1,
85                      const uint8_t *data2, int len2,
86                      const uint8_t *data3, int len3)
87{
88    uint128 hash;
89    memcpy(&hash, &s_init_hash, 16);
90
91    fnv1a_inc(&hash, data1, len1);
92    fnv1a_inc(&hash, data2, len2);
93    fnv1a_inc(&hash, data3, len3);
94    return hash;
95}
96
97/* HS_PKT_HASH_LENGTH bytes of md */
98void serialize_fnv128_short(uint128 v, uint8_t *md)
99{
100    memcpy(md, (void *)&v, 12);
101}
102
103#else
104uint128  *uint128_times(uint128 *v, const uint128 *factor)
105{
106    uint64_t a96 = v->hi_ >> 32;
107    uint64_t a64 = v->hi_ & 0xffffffffu;
108    uint64_t a32 = v->lo_ >> 32;
109    uint64_t a00 = v->lo_ & 0xffffffffu;
110    uint64_t b96 = factor->hi_ >> 32;
111    uint64_t b64 = factor->hi_ & 0xffffffffu;
112    uint64_t b32 = factor->lo_ >> 32;
113    uint64_t b00 = factor->lo_ & 0xffffffffu;
114    uint64_t tmp, lolo;
115    // multiply [a96 .. a00] x [b96 .. b00]
116    // terms higher than c96 disappear off the high side
117    // terms c96 and c64 are safe to ignore carry bit
118    uint64_t c96 = a96 * b00 + a64 * b32 + a32 * b64 + a00 * b96;
119    uint64_t c64 = a64 * b00 + a32 * b32 + a00 * b64;
120    v->hi_ = (c96 << 32) + c64;
121    v->lo_ = 0;
122
123    tmp = a32 * b00;
124    v->hi_ += tmp >> 32;
125    v->lo_ += tmp << 32;
126
127    tmp = a00 * b32;
128    v->hi_ += tmp >> 32;
129    v->lo_ += tmp << 32;
130
131    tmp = a00 * b00;
132    lolo = v->lo_ + tmp;
133    if (lolo < v->lo_)
134        ++v->hi_;
135    v->lo_ = lolo;
136
137    return v;
138}
139
140void fnv1a_inc(uint128 *hash, const uint8_t * data, int len)
141{
142    static const uint128 kPrime = {16777216, 315};
143    const uint8_t* end = data + len;
144    while(data < end)
145    {
146        hash->lo_ = (hash->lo_ ^ (uint64_t)*data);
147        uint128_times(hash, &kPrime);
148        ++data;
149    }
150}
151
152
153uint128 fnv1a_128_3(const uint8_t * data1, int len1,
154                      const uint8_t * data2, int len2,
155                      const uint8_t * data3, int len3)
156{
157    uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)};
158    fnv1a_inc(&hash, data1, len1);
159    fnv1a_inc(&hash, data2, len2);
160    fnv1a_inc(&hash, data3, len3);
161    return hash;
162}
163
164
165/* HS_PKT_HASH_LENGTH bytes of md */
166void serialize_fnv128_short(uint128 v, uint8_t *md)
167{
168    assert(HS_PKT_HASH_LENGTH == 8 + 4);
169    memcpy(md, (void *)&v.lo_, 8);
170    memcpy(md + 8, (void *)&v.hi_, 4);
171}
172
173#endif
174
175
176static void sha256(const uint8_t *buf, int len, uint8_t *h)
177{
178    SHA256_CTX ctx;
179    SHA256_Init(&ctx);
180    SHA256_Update(&ctx, buf, len);
181    SHA256_Final(h, &ctx);
182}
183
184
185/* base on rfc 5869 with sha256, prk is 32 bytes*/
186void lshkdf_extract(const unsigned char *ikm, int ikm_len, const unsigned char *salt,
187                  int salt_len, unsigned char *prk)
188{
189#ifndef NDEBUG
190    unsigned char *out;
191    unsigned int out_len;
192    out =
193#endif
194        HMAC(EVP_sha256(), salt, salt_len, ikm, ikm_len, prk,
195#ifndef NDEBUG
196                                                              &out_len
197#else
198                                                              NULL
199#endif
200                                                                      );
201    assert(out);
202    assert(out_len == 32);
203}
204
205
206#define SHA256LEN   32
207int lshkdf_expand(const unsigned char *prk, const unsigned char *info, int info_len,
208                uint16_t c_key_len, uint8_t *c_key,
209                uint16_t s_key_len, uint8_t *s_key,
210                uint16_t c_key_iv_len, uint8_t *c_key_iv,
211                uint16_t s_key_iv_len, uint8_t *s_key_iv,
212                uint16_t sub_key_len, uint8_t *sub_key,
213                uint8_t *c_hp, uint8_t *s_hp)
214{
215    const unsigned L = c_key_len + s_key_len + c_key_iv_len + s_key_iv_len
216            + sub_key_len
217            + (c_hp ? c_key_len : 0)
218            + (s_hp ? s_key_len : 0)
219            ;
220    unsigned char *p;
221    unsigned char output[
222        EVP_MAX_KEY_LENGTH * 2  /* Keys */
223      + EVP_MAX_IV_LENGTH * 2   /* IVs */
224      + 32                      /* Subkey */
225      + EVP_MAX_KEY_LENGTH * 2  /* Header protection */
226    ];
227
228    assert((size_t) L <= sizeof(output));
229
230#ifndef NDEBUG
231    const int s =
232#endif
233    HKDF_expand(output, L, EVP_sha256(), prk, 32, info, info_len);
234    assert(s);
235    p = output;
236    if (c_key_len)
237    {
238        memcpy(c_key, p, c_key_len);
239        p += c_key_len;
240    }
241    if (s_key_len)
242    {
243        memcpy(s_key, p, s_key_len);
244        p += s_key_len;
245    }
246    if (c_key_iv_len)
247    {
248        memcpy(c_key_iv, p, c_key_iv_len);
249        p += c_key_iv_len;
250    }
251    if (s_key_iv_len)
252    {
253        memcpy(s_key_iv, p, s_key_iv_len);
254        p += s_key_iv_len;
255    }
256    if (sub_key_len && sub_key)
257    {
258        memcpy(sub_key, p, sub_key_len);
259        p += sub_key_len;
260    }
261    if (c_key_len && c_hp)
262    {
263        memcpy(c_hp, p, c_key_len);
264        p += c_key_len;
265    }
266    if (s_key_len && s_hp)
267    {
268        memcpy(s_hp, p, s_key_len);
269        p += s_key_len;
270    }
271    return 0;
272}
273
274
275int export_key_material_simple(unsigned char *ikm, uint32_t ikm_len,
276                        unsigned char *salt, int salt_len,
277                        char *label, uint32_t label_len,
278                        const uint8_t *context, uint32_t context_len,
279                        uint8_t *key, uint16_t key_len)
280{
281    unsigned char prk[32];
282    int info_len;
283    uint8_t *info = NULL;
284    info = (uint8_t *)malloc(label_len + 1 + sizeof(uint32_t) + context_len);
285    if (!info)
286        return -1;
287
288    lshkdf_extract(ikm, ikm_len, salt, salt_len, prk);
289    memcpy(info, label, label_len);
290    info[label_len] = 0x00;
291    info_len = label_len + 1;
292    memcpy(info + info_len, &context_len, sizeof(uint32_t));
293    info_len += sizeof(uint32_t);
294    memcpy(info + info_len, context, context_len);
295    info_len += context_len;
296    lshkdf_expand(prk, info, info_len, key_len, key,
297                0, NULL, 0, NULL,0, NULL, 0, NULL, NULL, NULL);
298    free(info);
299    return 0;
300}
301
302
303int
304lsquic_export_key_material(const unsigned char *ikm, uint32_t ikm_len,
305                        const unsigned char *salt, int salt_len,
306                        const unsigned char *context, uint32_t context_len,
307                        uint16_t c_key_len, uint8_t *c_key,
308                        uint16_t s_key_len, uint8_t *s_key,
309                        uint16_t c_key_iv_len, uint8_t *c_key_iv,
310                        uint16_t s_key_iv_len, uint8_t *s_key_iv,
311                        uint8_t *sub_key, uint8_t *c_hp, uint8_t *s_hp)
312{
313    unsigned char prk[32];
314    uint16_t sub_key_len = ikm_len;
315
316    lshkdf_extract(ikm, ikm_len, salt, salt_len, prk);
317    lshkdf_expand(prk, context, context_len, c_key_len, c_key,
318                s_key_len, s_key, c_key_iv_len, c_key_iv, s_key_iv_len,
319                s_key_iv, sub_key_len, sub_key, c_hp, s_hp);
320    return 0;
321}
322
323void c255_get_pub_key(unsigned char *priv_key, unsigned char pub_key[32])
324{
325    X25519_public_from_private(pub_key, priv_key);
326}
327
328
329int c255_gen_share_key(unsigned char *priv_key, unsigned char *peer_pub_key, unsigned char *shared_key)
330{
331    return X25519(shared_key, priv_key, peer_pub_key);
332}
333
334
335
336/* AEAD nonce is always zero */
337/* return 0 for OK */
338int aes_aead_enc(EVP_AEAD_CTX *key,
339              const uint8_t *ad, size_t ad_len,
340              const uint8_t *nonce, size_t nonce_len,
341              const uint8_t *plain, size_t plain_len,
342              uint8_t *cypher, size_t *cypher_len)
343{
344    int ret = 0;
345    size_t max_out_len;
346    max_out_len = *cypher_len;//plain_len + EVP_AEAD_max_overhead(aead_);
347    assert(*cypher_len >= max_out_len);
348
349    LSQ_DEBUG("***aes_aead_enc data %s", get_bin_str(plain, plain_len, 40));
350    ret = EVP_AEAD_CTX_seal(key, cypher, cypher_len, max_out_len,
351                            nonce, nonce_len, plain, plain_len, ad, ad_len);
352//     LSQ_DEBUG("***aes_aead_enc nonce: %s", get_bin_str(nonce, nonce_len));
353//     LSQ_DEBUG("***aes_aead_enc AD: %s", get_bin_str(ad, ad_len));
354//     LSQ_DEBUG("***aes_aead_enc return %d", (ret ? 0 : -1));
355    if (ret)
356    {
357        LSQ_DEBUG("***aes_aead_enc succeed, cypher content %s",
358                  get_bin_str(cypher, *cypher_len, 40));
359        return 0;
360    }
361    else
362    {
363        LSQ_DEBUG("***aes_aead_enc failed.");
364        return -1;
365    }
366}
367
368
369/* return 0 for OK */
370int aes_aead_dec(EVP_AEAD_CTX *key,
371              const uint8_t *ad, size_t ad_len,
372              const uint8_t *nonce, size_t nonce_len,
373              const uint8_t *cypher, size_t cypher_len,
374              uint8_t *plain, size_t *plain_len)
375{
376    int ret = 0;
377    size_t max_out_len = *plain_len;
378    assert(max_out_len >= cypher_len);
379
380    LSQ_DEBUG("***aes_aead_dec data %s", get_bin_str(cypher, cypher_len, 40));
381
382
383    ret = EVP_AEAD_CTX_open(key, plain, plain_len, max_out_len,
384                            nonce, nonce_len, cypher, cypher_len, ad, ad_len);
385
386//    LSQ_DEBUG("***aes_aead_dec nonce: %s", get_bin_str(nonce, nonce_len));
387//    LSQ_DEBUG("***aes_aead_dec AD: %s", get_bin_str(ad, ad_len));
388//    LSQ_DEBUG("***aes_aead_dec return %d", (ret ? 0 : -1));
389    if (ret)
390    {
391        LSQ_DEBUG("***aes_aead_dec succeed, plain content %s",
392              get_bin_str(plain, *plain_len, 20));
393        return 0;
394    }
395    else
396    {
397        LSQ_DEBUG("***aes_aead_dec failed.");
398        return -1;
399    }
400}
401
402/* 32 bytes client nonce with 4 bytes tm, 8 bytes orbit */
403void gen_nonce_c(unsigned char *buf, uint64_t orbit)
404{
405    time_t tm = time(NULL);
406    unsigned char *p = buf;
407    memcpy(p, &tm, 4);
408    p += 4;
409    memcpy(p, &orbit, 8);
410    p += 8;
411    rand_bytes(p, 20);
412    p += 20;
413}
414
415
416EVP_PKEY *PEM_to_key(const char *buf, int len)
417{
418    RSA *rsa = NULL;
419    EVP_PKEY *key = EVP_PKEY_new();
420    BIO *bio = BIO_new_mem_buf(buf, len);
421    if (!bio || !key)
422        return NULL;
423
424    rsa = PEM_read_bio_RSAPrivateKey(bio, &rsa, NULL, NULL);
425    if (!rsa)
426        return NULL;
427
428    EVP_PKEY_assign_RSA(key, rsa);
429    return key;
430}
431
432
433/* type 0 DER, 1: PEM */
434X509 *bio_to_crt(const void *buf, int len, int type)
435{
436    X509 *crt = NULL;
437    BIO *bio = BIO_new_mem_buf(buf, len);
438    if (bio == NULL)
439        return NULL;
440
441    if (type == 0)
442        crt = d2i_X509_bio(bio, NULL);
443    else
444        crt = PEM_read_bio_X509(bio, &crt, 0 , NULL);
445    BIO_free(bio);
446    return crt;
447}
448
449
450int gen_prof(const uint8_t *chlo_data, size_t chlo_data_len,
451             const uint8_t *scfg_data, uint32_t scfg_data_len,
452             const EVP_PKEY *priv_key, uint8_t *buf, size_t *buf_len)
453{
454    uint8_t chlo_hash[32] = {0};
455    size_t chlo_hash_len = 32; /* SHA256 */
456    EVP_MD_CTX sign_context;
457    EVP_PKEY_CTX* pkey_ctx = NULL;
458
459    sha256(chlo_data, chlo_data_len, chlo_hash);
460    EVP_MD_CTX_init(&sign_context);
461    if (!EVP_DigestSignInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)priv_key))
462        return -1;
463
464    EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING);
465    EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1);
466
467    if (!EVP_DigestSignUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) ||
468        !EVP_DigestSignUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) ||
469        !EVP_DigestSignUpdate(&sign_context, chlo_hash, chlo_hash_len) ||
470        !EVP_DigestSignUpdate(&sign_context, scfg_data, scfg_data_len))
471    {
472        return -1;
473    }
474
475    size_t len = 0;
476    if (!EVP_DigestSignFinal(&sign_context, NULL, &len)) {
477        return -1;
478    }
479
480    if (len > *buf_len)
481        return -2;
482    if (buf)
483        EVP_DigestSignFinal(&sign_context, buf, buf_len);
484
485    EVP_MD_CTX_cleanup(&sign_context);
486    return 0;
487}
488
489
490int verify_prof(const uint8_t *chlo_data, size_t chlo_data_len, lsquic_str_t * scfg,
491                const EVP_PKEY *pub_key, const uint8_t *buf, size_t len)
492{
493    return verify_prof0(chlo_data, chlo_data_len,
494                        (const uint8_t *)lsquic_str_buf(scfg),
495                        lsquic_str_len(scfg), pub_key, buf, len);
496}
497
498
499
500
501/* -3 internal error, -1: verify failed, 0: Success */
502int verify_prof0(const uint8_t *chlo_data, size_t chlo_data_len,
503                const uint8_t *scfg_data, uint32_t scfg_data_len,
504                const EVP_PKEY *pub_key, const uint8_t *buf, size_t len)
505{
506    uint8_t chlo_hash[32] = {0};
507    size_t chlo_hash_len = 32; /* SHA256 */
508    EVP_MD_CTX sign_context;
509    EVP_PKEY_CTX* pkey_ctx = NULL;
510    int ret = 0;
511    EVP_MD_CTX_init(&sign_context);
512    sha256(chlo_data, chlo_data_len, chlo_hash);
513
514    // discarding const below to quiet compiler warning on call to ssl library code
515    if (!EVP_DigestVerifyInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)pub_key))
516        return -4;
517
518    EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING);
519    EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1);
520
521
522    if (!EVP_DigestVerifyUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) ||
523        !EVP_DigestVerifyUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) ||
524        !EVP_DigestVerifyUpdate(&sign_context, chlo_hash, chlo_hash_len) ||
525        !EVP_DigestVerifyUpdate(&sign_context, scfg_data, scfg_data_len))
526    {
527        return -3;  /* set to -3, to avoid same as "not enough data" -2 */
528    }
529
530    ret = EVP_DigestVerifyFinal(&sign_context, buf, len);
531    EVP_MD_CTX_cleanup(&sign_context);
532
533    if (ret == 1)
534        return 0; //OK
535    else
536        return -1;  //failed
537}
538
539
540void crypto_init(void)
541{
542    if (crypto_inited)
543        return ;
544
545    //SSL_library_init();
546    CRYPTO_library_init();
547    /* XXX Should we seed? If yes, wherewith? */ // RAND_seed(seed, seed_len);
548
549#if defined( __x86_64 )||defined( __x86_64__ )
550    make_uint128(&s_prime, 16777216, 315);
551    make_uint128(&s_init_hash, 7809847782465536322, 7113472399480571277);
552#endif
553
554    /* MORE .... */
555    crypto_inited = 1;
556}
557
558