lsquic_crypto.c revision e0197994
1/* Copyright (c) 2017 LiteSpeed Technologies Inc. See LICENSE. */ 2#include <assert.h> 3#include <string.h> 4 5#include <openssl/ssl.h> 6#include <openssl/crypto.h> 7#include <openssl/stack.h> 8#include <openssl/x509.h> 9#include <openssl/rand.h> 10#include <openssl/curve25519.h> 11#include <openssl/hmac.h> 12 13#include <zlib.h> 14 15#include "lsquic_types.h" 16#include "lsquic_crypto.h" 17#include "lsquic_alarmset.h" 18#include "lsquic_parse.h" 19#include "lsquic_util.h" 20#include "lsquic_str.h" 21 22#define LSQUIC_LOGGER_MODULE LSQLM_CRYPTO 23#include "lsquic_logger.h" 24 25 26static const char s_hs_signature[] = "QUIC CHLO and server config signature"; 27static int crypto_inited = 0; 28 29 30void rand_bytes(void *data, int len) 31{ 32 RAND_bytes(data, len); 33} 34 35 36uint64_t fnv1a_64(const uint8_t * data, int len) 37{ 38 uint64_t hash = UINT64_C(14695981039346656037); 39 const uint8_t *end = data + len; 40 while(data < end) 41 { 42 hash ^= *data; 43 hash *= UINT64_C(1099511628211); 44 ++data; 45 } 46 return hash; 47} 48 49 50void fnv1a_64_s(const uint8_t * data, int len, char *md) 51{ 52 uint64_t hash = fnv1a_64(data, len); 53 memcpy(md, (void *)&hash, 8); 54} 55 56 57#if defined( __x86_64 )||defined( __x86_64__ ) 58 59static uint128 s_prime; 60static uint128 s_init_hash; 61 62 63static inline void make_uint128(uint128 *v, uint64_t hi, uint64_t lo) 64{ 65 *v = hi; 66 *v <<= 64; 67 *v += lo; 68} 69 70 71void fnv1a_inc(uint128 *hash, const uint8_t *data, int len) 72{ 73 const uint8_t* end = data + len; 74 while(data < end) 75 { 76 *hash = (*hash ^ (*data)) * s_prime; 77 ++data; 78 } 79} 80 81uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t *data2, int len2) 82{ 83 uint128 hash; 84 memcpy(&hash, &s_init_hash, 16); 85 86 fnv1a_inc(&hash, data1, len1); 87 if (data2) 88 fnv1a_inc(&hash, data2, len2); 89 return hash; 90} 91 92uint128 fnv1a_128_3(const uint8_t *data1, int len1, 93 const uint8_t *data2, int len2, 94 const uint8_t *data3, int len3) 95{ 96 uint128 hash; 97 memcpy(&hash, &s_init_hash, 16); 98 99 fnv1a_inc(&hash, data1, len1); 100 fnv1a_inc(&hash, data2, len2); 101 fnv1a_inc(&hash, data3, len3); 102 return hash; 103} 104 105void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t *md) 106{ 107 uint128 hash = fnv1a_128_2(data1, len1, data2, len2); 108 memcpy(md, (void *)&hash, 16); 109} 110 111/* HS_PKT_HASH_LENGTH bytes of md */ 112void serialize_fnv128_short(uint128 v, uint8_t *md) 113{ 114 memcpy(md, (void *)&v, 12); 115} 116 117#else 118uint128 *uint128_times(uint128 *v, const uint128 *factor) 119{ 120 uint64_t a96 = v->hi_ >> 32; 121 uint64_t a64 = v->hi_ & 0xffffffffu; 122 uint64_t a32 = v->lo_ >> 32; 123 uint64_t a00 = v->lo_ & 0xffffffffu; 124 uint64_t b96 = factor->hi_ >> 32; 125 uint64_t b64 = factor->hi_ & 0xffffffffu; 126 uint64_t b32 = factor->lo_ >> 32; 127 uint64_t b00 = factor->lo_ & 0xffffffffu; 128 uint64_t tmp, lolo; 129 // multiply [a96 .. a00] x [b96 .. b00] 130 // terms higher than c96 disappear off the high side 131 // terms c96 and c64 are safe to ignore carry bit 132 uint64_t c96 = a96 * b00 + a64 * b32 + a32 * b64 + a00 * b96; 133 uint64_t c64 = a64 * b00 + a32 * b32 + a00 * b64; 134 v->hi_ = (c96 << 32) + c64; 135 v->lo_ = 0; 136 137 tmp = a32 * b00; 138 v->hi_ += tmp >> 32; 139 v->lo_ += tmp << 32; 140 141 tmp = a00 * b32; 142 v->hi_ += tmp >> 32; 143 v->lo_ += tmp << 32; 144 145 tmp = a00 * b00; 146 lolo = v->lo_ + tmp; 147 if (lolo < v->lo_) 148 ++v->hi_; 149 v->lo_ = lolo; 150 151 return v; 152} 153 154void fnv1a_inc(uint128 *hash, const uint8_t * data, int len) 155{ 156 static const uint128 kPrime = {16777216, 315}; 157 const uint8_t* end = data + len; 158 while(data < end) 159 { 160 hash->lo_ = (hash->lo_ ^ (uint64_t)*data); 161 uint128_times(hash, &kPrime); 162 ++data; 163 } 164} 165 166 167uint128 fnv1a_128_2(const uint8_t * data1, int len1, const uint8_t * data2, int len2) 168{ 169 uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)}; 170 fnv1a_inc(&hash, data1, len1); 171 if (data2) 172 fnv1a_inc(&hash, data2, len2); 173 return hash; 174} 175 176 177uint128 fnv1a_128_3(const uint8_t * data1, int len1, 178 const uint8_t * data2, int len2, 179 const uint8_t * data3, int len3) 180{ 181 uint128 hash = {UINT64_C(7809847782465536322), UINT64_C(7113472399480571277)}; 182 fnv1a_inc(&hash, data1, len1); 183 fnv1a_inc(&hash, data2, len2); 184 fnv1a_inc(&hash, data3, len3); 185 return hash; 186} 187 188 189void fnv1a_128_2_s(const uint8_t * data1, int len1, const uint8_t * data2, int len2, uint8_t *md) 190{ 191 uint128 hash = fnv1a_128_2(data1, len1, data2, len2); 192 memcpy(md, (void *)&hash.lo_, 8); 193 memcpy(md + 8, (void *)&hash.hi_, 8); 194} 195 196/* HS_PKT_HASH_LENGTH bytes of md */ 197void serialize_fnv128_short(uint128 v, uint8_t *md) 198{ 199 assert(HS_PKT_HASH_LENGTH == 8 + 4); 200 memcpy(md, (void *)&v.lo_, 8); 201 memcpy(md + 8, (void *)&v.hi_, 4); 202} 203 204#endif 205 206uint128 fnv1a_128(const uint8_t * data, int len) 207{ 208 return fnv1a_128_2(data, len , NULL, 0); 209} 210 211 212void fnv1a_128_s(const uint8_t * data, int len, uint8_t *md) 213{ 214 return fnv1a_128_2_s(data, len, NULL, 0, md); 215} 216 217 218/* packet data = header + MD + payload */ 219/* return 0 if OK */ 220int verify_hs_pkt(const uint8_t *pkg_data, size_t header_len, size_t pkg_len) 221{ 222 uint8_t md[HS_PKT_HASH_LENGTH]; 223 uint128 hash; 224 if (pkg_len < header_len + HS_PKT_HASH_LENGTH) 225 return -1; 226 227 hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH, 228 pkg_len - header_len - HS_PKT_HASH_LENGTH); 229 serialize_fnv128_short(hash, md); 230 return memcmp(md, pkg_data + header_len, HS_PKT_HASH_LENGTH); 231} 232 233/* packet data = header + MD + payload, update the MD part */ 234int update_hs_pkt_hash(uint8_t *pkg_data, int header_len, int pkg_len) 235{ 236 uint8_t md[HS_PKT_HASH_LENGTH]; 237 uint128 hash; 238 if (pkg_len < header_len + HS_PKT_HASH_LENGTH) 239 return -1; 240 241 hash = fnv1a_128_2(pkg_data, header_len, pkg_data + header_len + HS_PKT_HASH_LENGTH, 242 pkg_len - header_len - HS_PKT_HASH_LENGTH); 243 serialize_fnv128_short(hash, md); 244 memcpy(pkg_data + header_len, md, HS_PKT_HASH_LENGTH); 245 return 0; 246} 247 248int get_hs_pkt_hash_len() 249{ 250 return HS_PKT_HASH_LENGTH; 251} 252 253 254void sha256(const uint8_t *buf, int len, uint8_t *h) 255{ 256 SHA256_CTX ctx; 257 SHA256_Init(&ctx); 258 SHA256_Update(&ctx, buf, len); 259 SHA256_Final(h, &ctx); 260} 261 262 263/* base on rfc 5869 with sha256, prk is 32 bytes*/ 264void lshkdf_extract(const unsigned char *ikm, int ikm_len, const unsigned char *salt, 265 int salt_len, unsigned char *prk) 266{ 267#ifndef NDEBUG 268 unsigned char *out; 269 unsigned int out_len; 270 out = 271#endif 272 HMAC(EVP_sha256(), salt, salt_len, ikm, ikm_len, prk, 273#ifndef NDEBUG 274 &out_len 275#else 276 NULL 277#endif 278 ); 279 assert(out); 280 assert(out_len == 32); 281} 282 283 284int lshkdf_expand(const unsigned char *prk, const unsigned char *info, int info_len, 285 uint16_t c_key_len, uint8_t *c_key, 286 uint16_t s_key_len, uint8_t *s_key, 287 uint16_t c_key_iv_len, uint8_t *c_key_iv, 288 uint16_t s_key_iv_len, uint8_t *s_key_iv, 289 uint16_t sub_key_len, uint8_t *sub_key) 290{ 291 const int SHA256LEN = 32; 292 int L = c_key_len + s_key_len + c_key_iv_len + s_key_iv_len + sub_key_len; 293 int N = (L + SHA256LEN - 1) / SHA256LEN; 294 unsigned char *p_org; 295 uint8_t *buf; 296 unsigned char *p; 297 unsigned char T[SHA256LEN + 1]; 298 int T_len = 0; 299 int i; 300 uint8_t *pb; 301 302 p_org = malloc(N * SHA256LEN); 303 if (!p_org) 304 return -1; 305 306 buf = malloc(SHA256LEN + info_len + 13); 307 if (!buf) 308 { 309 free(p_org); 310 return -1; 311 } 312 313 p = p_org; 314 315 for (i = 1; i <= N; ++i) 316 { 317 pb = buf; 318 if (T_len > 0) 319 { 320 memcpy(pb, T, T_len); 321 pb += T_len; 322 } 323 324 memcpy(pb, info, info_len); 325 pb += info_len; 326 *pb = i; 327 ++pb; 328 329 HMAC(EVP_sha256(), prk, SHA256LEN, buf, pb - buf, T, NULL); 330 if (i != N) 331 T_len = SHA256LEN; 332 else 333 T_len = L - (N - 1) * SHA256LEN; 334 335 memcpy(p, T, T_len); 336 p += T_len; 337 } 338 339 free(buf); 340 341 p = p_org; 342 if (c_key_len) 343 { 344 memcpy(c_key, p, c_key_len); 345 p += c_key_len; 346 } 347 if (s_key_len) 348 { 349 memcpy(s_key, p, s_key_len); 350 p += s_key_len; 351 } 352 if (c_key_iv_len) 353 { 354 memcpy(c_key_iv, p, c_key_iv_len); 355 p += c_key_iv_len; 356 } 357 if (s_key_iv_len) 358 { 359 memcpy(s_key_iv, p, s_key_iv_len); 360 p += s_key_iv_len; 361 } 362 if (sub_key_len && sub_key) 363 { 364 memcpy(sub_key, p, sub_key_len); 365 p += sub_key_len; 366 } 367 368 free(p_org); 369 return 0; 370} 371 372 373int export_key_material_simple(unsigned char *ikm, uint32_t ikm_len, 374 unsigned char *salt, int salt_len, 375 char *label, uint32_t label_len, 376 const uint8_t *context, uint32_t context_len, 377 uint8_t *key, uint16_t key_len) 378{ 379 unsigned char prk[32]; 380 int info_len; 381 uint8_t *info = NULL; 382 info = (uint8_t *)malloc(label_len + 1 + sizeof(uint32_t) + context_len); 383 if (!info) 384 return -1; 385 386 lshkdf_extract(ikm, ikm_len, salt, salt_len, prk); 387 memcpy(info, label, label_len); 388 info[label_len] = 0x00; 389 info_len = label_len + 1; 390 memcpy(info + info_len, &context_len, sizeof(uint32_t)); 391 info_len += sizeof(uint32_t); 392 memcpy(info + info_len, context, context_len); 393 info_len += context_len; 394 lshkdf_expand(prk, info, info_len, key_len, key, 395 0, NULL, 0, NULL,0, NULL, 0, NULL); 396 free(info); 397 return 0; 398} 399 400 401int export_key_material(const unsigned char *ikm, uint32_t ikm_len, 402 const unsigned char *salt, int salt_len, 403 const unsigned char *context, uint32_t context_len, 404 uint16_t c_key_len, uint8_t *c_key, 405 uint16_t s_key_len, uint8_t *s_key, 406 uint16_t c_key_iv_len, uint8_t *c_key_iv, 407 uint16_t s_key_iv_len, uint8_t *s_key_iv, 408 uint8_t *sub_key) 409{ 410 unsigned char prk[32]; 411 uint16_t sub_key_len = ikm_len; 412 413 lshkdf_extract(ikm, ikm_len, salt, salt_len, prk); 414 lshkdf_expand(prk, context, context_len, c_key_len, c_key, 415 s_key_len, s_key, c_key_iv_len, c_key_iv, s_key_iv_len, 416 s_key_iv, sub_key_len, sub_key); 417 return 0; 418} 419 420void c255_get_pub_key(unsigned char *priv_key, unsigned char pub_key[32]) 421{ 422 X25519_public_from_private(pub_key, priv_key); 423} 424 425 426int c255_gen_share_key(unsigned char *priv_key, unsigned char *peer_pub_key, unsigned char *shared_key) 427{ 428 return X25519(shared_key, priv_key, peer_pub_key); 429} 430 431 432 433/* AEAD nonce is always zero */ 434/* return 0 for OK */ 435int aes_aead_enc(EVP_AEAD_CTX *key, 436 const uint8_t *ad, size_t ad_len, 437 const uint8_t *nonce, size_t nonce_len, 438 const uint8_t *plain, size_t plain_len, 439 uint8_t *cypher, size_t *cypher_len) 440{ 441 int ret = 0; 442 size_t max_out_len; 443 max_out_len = *cypher_len;//plain_len + EVP_AEAD_max_overhead(aead_); 444 assert(*cypher_len >= max_out_len); 445 446 LSQ_DEBUG("***aes_aead_enc data %s", get_bin_str(plain, plain_len, 40)); 447 ret = EVP_AEAD_CTX_seal(key, cypher, cypher_len, max_out_len, 448 nonce, nonce_len, plain, plain_len, ad, ad_len); 449// LSQ_DEBUG("***aes_aead_enc nonce: %s", get_bin_str(nonce, nonce_len)); 450// LSQ_DEBUG("***aes_aead_enc AD: %s", get_bin_str(ad, ad_len)); 451// LSQ_DEBUG("***aes_aead_enc return %d", (ret ? 0 : -1)); 452 if (ret) 453 { 454 LSQ_DEBUG("***aes_aead_enc succeed, cypher content %s", 455 get_bin_str(cypher, *cypher_len, 40)); 456 return 0; 457 } 458 else 459 { 460 LSQ_DEBUG("***aes_aead_enc failed."); 461 return -1; 462 } 463} 464 465 466/* return 0 for OK */ 467int aes_aead_dec(EVP_AEAD_CTX *key, 468 const uint8_t *ad, size_t ad_len, 469 const uint8_t *nonce, size_t nonce_len, 470 const uint8_t *cypher, size_t cypher_len, 471 uint8_t *plain, size_t *plain_len) 472{ 473 int ret = 0; 474 size_t max_out_len = *plain_len; 475 assert(max_out_len >= cypher_len); 476 477 LSQ_DEBUG("***aes_aead_dec data %s", get_bin_str(cypher, cypher_len, 40)); 478 479 480 ret = EVP_AEAD_CTX_open(key, plain, plain_len, max_out_len, 481 nonce, nonce_len, cypher, cypher_len, ad, ad_len); 482 483// LSQ_DEBUG("***aes_aead_dec nonce: %s", get_bin_str(nonce, nonce_len)); 484// LSQ_DEBUG("***aes_aead_dec AD: %s", get_bin_str(ad, ad_len)); 485// LSQ_DEBUG("***aes_aead_dec return %d", (ret ? 0 : -1)); 486 if (ret) 487 { 488 LSQ_DEBUG("***aes_aead_dec succeed, plain content %s", 489 get_bin_str(plain, *plain_len, 20)); 490 return 0; 491 } 492 else 493 { 494 LSQ_DEBUG("***aes_aead_dec failed."); 495 return -1; 496 } 497} 498 499/* aes 128, 16 bytes */ 500int aes_get_key_length() 501{ 502 return 16; 503} 504 505void gen_nonce_s(char *buf, int length) 506{ 507 rand_bytes(buf, length); 508} 509 510/* 32 bytes client nonce with 4 bytes tm, 8 bytes orbit */ 511void gen_nonce_c(unsigned char *buf, uint64_t orbit) 512{ 513 time_t tm = time(NULL); 514 unsigned char *p = buf; 515 memcpy(p, &tm, 4); 516 p += 4; 517 memcpy(p, &orbit, 8); 518 p += 8; 519 rand_bytes(p, 20); 520 p += 20; 521} 522 523 524EVP_PKEY *PEM_to_key(const char *buf, int len) 525{ 526 RSA *rsa = NULL; 527 EVP_PKEY *key = EVP_PKEY_new(); 528 BIO *bio = BIO_new_mem_buf(buf, len); 529 if (!bio || !key) 530 return NULL; 531 532 rsa = PEM_read_bio_RSAPrivateKey(bio, &rsa, NULL, NULL); 533 if (!rsa) 534 return NULL; 535 536 EVP_PKEY_assign_RSA(key, rsa); 537 return key; 538} 539 540 541/* type 0 DER, 1: PEM */ 542X509 *bio_to_crt(const void *buf, int len, int type) 543{ 544 X509 *crt = NULL; 545 BIO *bio = BIO_new_mem_buf(buf, len); 546 if (bio == NULL) 547 return NULL; 548 549 if (type == 0) 550 crt = d2i_X509_bio(bio, NULL); 551 else 552 crt = PEM_read_bio_X509(bio, &crt, 0 , NULL); 553 BIO_free(bio); 554 return crt; 555} 556 557 558int read_rsa_priv_key(const uint8_t *buf, int len, EVP_PKEY *pkey) 559{ 560 561 RSA *rsa = RSA_private_key_from_bytes(buf, len); 562 if (!rsa) 563 return -1; 564 565 return EVP_PKEY_assign_RSA(pkey, rsa); 566} 567 568 569int gen_prof(const uint8_t *chlo_data, size_t chlo_data_len, 570 const uint8_t *scfg_data, uint32_t scfg_data_len, 571 const EVP_PKEY *priv_key, uint8_t *buf, size_t *buf_len) 572{ 573 uint8_t chlo_hash[32] = {0}; 574 size_t chlo_hash_len = 32; /* SHA256 */ 575 EVP_MD_CTX sign_context; 576 EVP_PKEY_CTX* pkey_ctx = NULL; 577 578 sha256(chlo_data, chlo_data_len, chlo_hash); 579 EVP_MD_CTX_init(&sign_context); 580 if (!EVP_DigestSignInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)priv_key)) 581 return -1; 582 583 EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING); 584 EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1); 585 586 if (!EVP_DigestSignUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) || 587 !EVP_DigestSignUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) || 588 !EVP_DigestSignUpdate(&sign_context, chlo_hash, chlo_hash_len) || 589 !EVP_DigestSignUpdate(&sign_context, scfg_data, scfg_data_len)) 590 { 591 return -1; 592 } 593 594 size_t len = 0; 595 if (!EVP_DigestSignFinal(&sign_context, NULL, &len)) { 596 return -1; 597 } 598 599 if (len > *buf_len) 600 return -2; 601 if (buf) 602 EVP_DigestSignFinal(&sign_context, buf, buf_len); 603 604 EVP_MD_CTX_cleanup(&sign_context); 605 return 0; 606} 607 608 609int verify_cert(const char *buf, int len) 610{ 611 //X509_verify_cert(); 612 613 return 0; 614} 615 616 617int verify_prof(const uint8_t *chlo_data, size_t chlo_data_len, lsquic_str_t * scfg, 618 const EVP_PKEY *pub_key, const uint8_t *buf, size_t len) 619{ 620 return verify_prof0(chlo_data, chlo_data_len, 621 (const uint8_t *)lsquic_str_buf(scfg), 622 lsquic_str_len(scfg), pub_key, buf, len); 623} 624 625 626 627 628/* -3 internal error, -1: verify failed, 0: Success */ 629int verify_prof0(const uint8_t *chlo_data, size_t chlo_data_len, 630 const uint8_t *scfg_data, uint32_t scfg_data_len, 631 const EVP_PKEY *pub_key, const uint8_t *buf, size_t len) 632{ 633 uint8_t chlo_hash[32] = {0}; 634 size_t chlo_hash_len = 32; /* SHA256 */ 635 EVP_MD_CTX sign_context; 636 EVP_PKEY_CTX* pkey_ctx = NULL; 637 int ret = 0; 638 EVP_MD_CTX_init(&sign_context); 639 sha256(chlo_data, chlo_data_len, chlo_hash); 640 641 // discarding const below to quiet compiler warning on call to ssl library code 642 if (!EVP_DigestVerifyInit(&sign_context, &pkey_ctx, EVP_sha256(), NULL, (EVP_PKEY *)pub_key)) 643 return -4; 644 645 EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING); 646 EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, -1); 647 648 649 if (!EVP_DigestVerifyUpdate(&sign_context, s_hs_signature, sizeof(s_hs_signature)) || 650 !EVP_DigestVerifyUpdate(&sign_context, (const uint8_t*)(&chlo_hash_len), 4) || 651 !EVP_DigestVerifyUpdate(&sign_context, chlo_hash, chlo_hash_len) || 652 !EVP_DigestVerifyUpdate(&sign_context, scfg_data, scfg_data_len)) 653 { 654 return -3; /* set to -3, to avoid same as "not enough data" -2 */ 655 } 656 657 ret = EVP_DigestVerifyFinal(&sign_context, buf, len); 658 EVP_MD_CTX_cleanup(&sign_context); 659 660 if (ret == 1) 661 return 0; //OK 662 else 663 return -1; //failed 664} 665 666 667void crypto_init(void *seed, int seed_len) 668{ 669 if (crypto_inited) 670 return ; 671 672 //SSL_library_init(); 673 CRYPTO_library_init(); 674 RAND_seed(seed, seed_len); 675 676#if defined( __x86_64 )||defined( __x86_64__ ) 677 make_uint128(&s_prime, 16777216, 315); 678 make_uint128(&s_init_hash, 7809847782465536322, 7113472399480571277); 679#endif 680 681 /* MORE .... */ 682 crypto_inited = 1; 683} 684 685