1 #include "quic_record_shared.h"
2 #include "internal/quic_record_util.h"
3 #include "internal/common.h"
4 #include "../ssl_local.h"
5
6 /* Constants used for key derivation in QUIC v1. */
7 static const unsigned char quic_v1_iv_label[] = {
8 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */
9 };
10 static const unsigned char quic_v1_key_label[] = {
11 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */
12 };
13 static const unsigned char quic_v1_hp_label[] = {
14 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */
15 };
16 static const unsigned char quic_v1_ku_label[] = {
17 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x75 /* "quic ku" */
18 };
19
ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level,int require_prov)20 OSSL_QRL_ENC_LEVEL *ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET *els,
21 uint32_t enc_level,
22 int require_prov)
23 {
24 OSSL_QRL_ENC_LEVEL *el;
25
26 if (!ossl_assert(enc_level < QUIC_ENC_LEVEL_NUM))
27 return NULL;
28
29 el = &els->el[enc_level];
30
31 if (require_prov)
32 switch (el->state) {
33 case QRL_EL_STATE_PROV_NORMAL:
34 case QRL_EL_STATE_PROV_UPDATING:
35 case QRL_EL_STATE_PROV_COOLDOWN:
36 break;
37 default:
38 return NULL;
39 }
40
41 return el;
42 }
43
ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level)44 int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET *els,
45 uint32_t enc_level)
46 {
47 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
48
49 switch (el->state) {
50 case QRL_EL_STATE_UNPROV:
51 return 0;
52 case QRL_EL_STATE_PROV_NORMAL:
53 case QRL_EL_STATE_PROV_UPDATING:
54 case QRL_EL_STATE_PROV_COOLDOWN:
55 return 1;
56 default:
57 case QRL_EL_STATE_DISCARDED:
58 return -1;
59 }
60 }
61
ossl_qrl_enc_level_set_has_keyslot(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level,unsigned char tgt_state,size_t keyslot)62 int ossl_qrl_enc_level_set_has_keyslot(OSSL_QRL_ENC_LEVEL_SET *els,
63 uint32_t enc_level,
64 unsigned char tgt_state,
65 size_t keyslot)
66 {
67 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
68
69 if (!ossl_assert(el != NULL && keyslot < 2))
70 return 0;
71
72 switch (tgt_state) {
73 case QRL_EL_STATE_PROV_NORMAL:
74 case QRL_EL_STATE_PROV_UPDATING:
75 return enc_level == QUIC_ENC_LEVEL_1RTT || keyslot == 0;
76 case QRL_EL_STATE_PROV_COOLDOWN:
77 assert(enc_level == QUIC_ENC_LEVEL_1RTT);
78 return keyslot == (el->key_epoch & 1);
79 default:
80 return 0;
81 }
82 }
83
el_teardown_keyslot(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level,size_t keyslot)84 static void el_teardown_keyslot(OSSL_QRL_ENC_LEVEL_SET *els,
85 uint32_t enc_level,
86 size_t keyslot)
87 {
88 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
89
90 if (!ossl_qrl_enc_level_set_has_keyslot(els, enc_level, el->state, keyslot))
91 return;
92
93 if (el->cctx[keyslot] != NULL) {
94 EVP_CIPHER_CTX_free(el->cctx[keyslot]);
95 el->cctx[keyslot] = NULL;
96 }
97
98 OPENSSL_cleanse(el->iv[keyslot], sizeof(el->iv[keyslot]));
99 }
100
el_setup_keyslot(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level,unsigned char tgt_state,size_t keyslot,const unsigned char * secret,size_t secret_len)101 static int el_setup_keyslot(OSSL_QRL_ENC_LEVEL_SET *els,
102 uint32_t enc_level,
103 unsigned char tgt_state,
104 size_t keyslot,
105 const unsigned char *secret,
106 size_t secret_len)
107 {
108 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
109 unsigned char key[EVP_MAX_KEY_LENGTH];
110 size_t key_len = 0, iv_len = 0;
111 const char *cipher_name = NULL;
112 EVP_CIPHER *cipher = NULL;
113 EVP_CIPHER_CTX *cctx = NULL;
114
115 if (!ossl_assert(el != NULL
116 && ossl_qrl_enc_level_set_has_keyslot(els, enc_level,
117 tgt_state, keyslot))) {
118 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
119 return 0;
120 }
121
122 cipher_name = ossl_qrl_get_suite_cipher_name(el->suite_id);
123 iv_len = ossl_qrl_get_suite_cipher_iv_len(el->suite_id);
124 key_len = ossl_qrl_get_suite_cipher_key_len(el->suite_id);
125 if (cipher_name == NULL) {
126 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
127 return 0;
128 }
129
130 if (secret_len != ossl_qrl_get_suite_secret_len(el->suite_id)
131 || secret_len > EVP_MAX_KEY_LENGTH) {
132 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
133 return 0;
134 }
135
136 assert(el->cctx[keyslot] == NULL);
137
138 /* Derive "quic iv" key. */
139 if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
140 el->md,
141 secret,
142 quic_v1_iv_label,
143 sizeof(quic_v1_iv_label),
144 NULL, 0,
145 el->iv[keyslot], iv_len, 1))
146 goto err;
147
148 /* Derive "quic key" key. */
149 if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
150 el->md,
151 secret,
152 quic_v1_key_label,
153 sizeof(quic_v1_key_label),
154 NULL, 0,
155 key, key_len, 1))
156 goto err;
157
158 /* Create and initialise cipher context. */
159 if ((cipher = EVP_CIPHER_fetch(el->libctx, cipher_name, el->propq)) == NULL) {
160 ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
161 goto err;
162 }
163
164 if ((cctx = EVP_CIPHER_CTX_new()) == NULL) {
165 ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
166 goto err;
167 }
168
169 if (!ossl_assert(iv_len == (size_t)EVP_CIPHER_get_iv_length(cipher))
170 || !ossl_assert(key_len == (size_t)EVP_CIPHER_get_key_length(cipher))) {
171 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
172 goto err;
173 }
174
175 /* IV will be changed on RX/TX so we don't need to use a real value here. */
176 if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, el->iv[keyslot], 0)) {
177 ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
178 goto err;
179 }
180
181 el->cctx[keyslot] = cctx;
182
183 /* Zeroize intermediate keys. */
184 OPENSSL_cleanse(key, sizeof(key));
185 EVP_CIPHER_free(cipher);
186 return 1;
187
188 err:
189 EVP_CIPHER_CTX_free(cctx);
190 EVP_CIPHER_free(cipher);
191 OPENSSL_cleanse(el->iv[keyslot], sizeof(el->iv[keyslot]));
192 OPENSSL_cleanse(key, sizeof(key));
193 return 0;
194 }
195
ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET * els,OSSL_LIB_CTX * libctx,const char * propq,uint32_t enc_level,uint32_t suite_id,EVP_MD * md,const unsigned char * secret,size_t secret_len,unsigned char init_key_phase_bit,int is_tx)196 int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET *els,
197 OSSL_LIB_CTX *libctx,
198 const char *propq,
199 uint32_t enc_level,
200 uint32_t suite_id,
201 EVP_MD *md,
202 const unsigned char *secret,
203 size_t secret_len,
204 unsigned char init_key_phase_bit,
205 int is_tx)
206 {
207 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
208 unsigned char ku_key[EVP_MAX_KEY_LENGTH], hpr_key[EVP_MAX_KEY_LENGTH];
209 int have_ks0 = 0, have_ks1 = 0, own_md = 0;
210 const char *md_name = ossl_qrl_get_suite_md_name(suite_id);
211 size_t hpr_key_len, init_keyslot;
212
213 if (el == NULL
214 || md_name == NULL
215 || init_key_phase_bit > 1 || is_tx < 0 || is_tx > 1
216 || (init_key_phase_bit > 0 && enc_level != QUIC_ENC_LEVEL_1RTT)) {
217 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
218 return 0;
219 }
220
221 if (enc_level == QUIC_ENC_LEVEL_INITIAL
222 && el->state == QRL_EL_STATE_PROV_NORMAL) {
223 /*
224 * Sometimes the INITIAL EL needs to be reprovisioned, namely if a
225 * connection retry occurs. Exceptionally, if the caller wants to
226 * reprovision the INITIAL EL, tear it down as usual and then override
227 * the state so it can be provisioned again.
228 */
229 ossl_qrl_enc_level_set_discard(els, enc_level);
230 el->state = QRL_EL_STATE_UNPROV;
231 }
232
233 if (el->state != QRL_EL_STATE_UNPROV) {
234 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
235 return 0;
236 }
237
238 init_keyslot = is_tx ? 0 : init_key_phase_bit;
239 hpr_key_len = ossl_qrl_get_suite_hdr_prot_key_len(suite_id);
240 if (hpr_key_len == 0) {
241 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
242 return 0;
243 }
244
245 if (md == NULL) {
246 md = EVP_MD_fetch(libctx, md_name, propq);
247 if (md == NULL) {
248 ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
249 return 0;
250 }
251
252 own_md = 1;
253 }
254
255 el->libctx = libctx;
256 el->propq = propq;
257 el->md = md;
258 el->suite_id = suite_id;
259 el->tag_len = ossl_qrl_get_suite_cipher_tag_len(suite_id);
260 el->op_count = 0;
261 el->key_epoch = (uint64_t)init_key_phase_bit;
262 el->is_tx = (unsigned char)is_tx;
263
264 /* Derive "quic hp" key. */
265 if (!tls13_hkdf_expand_ex(libctx, propq,
266 md,
267 secret,
268 quic_v1_hp_label,
269 sizeof(quic_v1_hp_label),
270 NULL, 0,
271 hpr_key, hpr_key_len, 1))
272 goto err;
273
274 /* Setup KS0 (or KS1 if init_key_phase_bit), our initial keyslot. */
275 if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
276 init_keyslot, secret, secret_len))
277 goto err;
278
279 have_ks0 = 1;
280
281 if (enc_level == QUIC_ENC_LEVEL_1RTT) {
282 /* Derive "quic ku" key (the epoch 1 secret). */
283 if (!tls13_hkdf_expand_ex(libctx, propq,
284 md,
285 secret,
286 quic_v1_ku_label,
287 sizeof(quic_v1_ku_label),
288 NULL, 0,
289 is_tx ? el->ku : ku_key, secret_len, 1))
290 goto err;
291
292 if (!is_tx) {
293 /* Setup KS1 (or KS0 if init_key_phase_bit), our next keyslot. */
294 if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
295 !init_keyslot, ku_key, secret_len))
296 goto err;
297
298 have_ks1 = 1;
299
300 /* Derive NEXT "quic ku" key (the epoch 2 secret). */
301 if (!tls13_hkdf_expand_ex(libctx, propq,
302 md,
303 ku_key,
304 quic_v1_ku_label,
305 sizeof(quic_v1_ku_label),
306 NULL, 0,
307 el->ku, secret_len, 1))
308 goto err;
309 }
310 }
311
312 /* Setup header protection context. */
313 if (!ossl_quic_hdr_protector_init(&el->hpr,
314 libctx, propq,
315 ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id),
316 hpr_key, hpr_key_len))
317 goto err;
318
319 /*
320 * We are now provisioned: KS0 has our current key (for key epoch 0), KS1
321 * has our next key (for key epoch 1, in the case of the 1-RTT EL only), and
322 * el->ku has the secret which will be used to generate keys for key epoch
323 * 2.
324 */
325 OPENSSL_cleanse(hpr_key, sizeof(hpr_key));
326 OPENSSL_cleanse(ku_key, sizeof(ku_key));
327 el->state = QRL_EL_STATE_PROV_NORMAL;
328 return 1;
329
330 err:
331 el->suite_id = 0;
332 el->md = NULL;
333 OPENSSL_cleanse(hpr_key, sizeof(hpr_key));
334 OPENSSL_cleanse(ku_key, sizeof(ku_key));
335 OPENSSL_cleanse(el->ku, sizeof(el->ku));
336 if (have_ks0)
337 el_teardown_keyslot(els, enc_level, init_keyslot);
338 if (have_ks1)
339 el_teardown_keyslot(els, enc_level, !init_keyslot);
340 if (own_md)
341 EVP_MD_free(md);
342 return 0;
343 }
344
ossl_qrl_enc_level_set_key_update(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level)345 int ossl_qrl_enc_level_set_key_update(OSSL_QRL_ENC_LEVEL_SET *els,
346 uint32_t enc_level)
347 {
348 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
349 size_t secret_len;
350 unsigned char new_ku[EVP_MAX_KEY_LENGTH];
351
352 if (el == NULL || !ossl_assert(enc_level == QUIC_ENC_LEVEL_1RTT)) {
353 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
354 return 0;
355 }
356
357 if (el->state != QRL_EL_STATE_PROV_NORMAL) {
358 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
359 return 0;
360 }
361
362 if (!el->is_tx) {
363 /*
364 * We already have the key for the next epoch, so just move to using it.
365 */
366 ++el->key_epoch;
367 el->state = QRL_EL_STATE_PROV_UPDATING;
368 return 1;
369 }
370
371 /*
372 * TX case. For the TX side we use only keyslot 0; it replaces the old key
373 * immediately.
374 */
375 secret_len = ossl_qrl_get_suite_secret_len(el->suite_id);
376
377 /* Derive NEXT "quic ku" key (the epoch n+1 secret). */
378 if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
379 el->md, el->ku,
380 quic_v1_ku_label,
381 sizeof(quic_v1_ku_label),
382 NULL, 0,
383 new_ku, secret_len, 1))
384 return 0;
385
386 el_teardown_keyslot(els, enc_level, 0);
387
388 /* Setup keyslot for CURRENT "quic ku" key. */
389 if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
390 0, el->ku, secret_len))
391 return 0;
392
393 ++el->key_epoch;
394 el->op_count = 0;
395 memcpy(el->ku, new_ku, secret_len);
396 /* Remain in PROV_NORMAL state */
397 return 1;
398 }
399
400 /* Transitions from PROV_UPDATING to PROV_COOLDOWN. */
ossl_qrl_enc_level_set_key_update_done(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level)401 int ossl_qrl_enc_level_set_key_update_done(OSSL_QRL_ENC_LEVEL_SET *els,
402 uint32_t enc_level)
403 {
404 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
405
406 if (el == NULL || !ossl_assert(enc_level == QUIC_ENC_LEVEL_1RTT)) {
407 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
408 return 0;
409 }
410
411 /* No new key yet, but erase key material to aid PFS. */
412 el_teardown_keyslot(els, enc_level, ~el->key_epoch & 1);
413 el->state = QRL_EL_STATE_PROV_COOLDOWN;
414 return 1;
415 }
416
417 /*
418 * Transitions from PROV_COOLDOWN to PROV_NORMAL. (If in PROV_UPDATING,
419 * auto-transitions to PROV_COOLDOWN first.)
420 */
ossl_qrl_enc_level_set_key_cooldown_done(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level)421 int ossl_qrl_enc_level_set_key_cooldown_done(OSSL_QRL_ENC_LEVEL_SET *els,
422 uint32_t enc_level)
423 {
424 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
425 size_t secret_len;
426 unsigned char new_ku[EVP_MAX_KEY_LENGTH];
427
428 if (el == NULL || !ossl_assert(enc_level == QUIC_ENC_LEVEL_1RTT)) {
429 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT);
430 return 0;
431 }
432
433 if (el->state == QRL_EL_STATE_PROV_UPDATING
434 && !ossl_qrl_enc_level_set_key_update_done(els, enc_level)) {
435 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
436 return 0;
437 }
438
439 if (el->state != QRL_EL_STATE_PROV_COOLDOWN) {
440 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
441 return 0;
442 }
443
444 secret_len = ossl_qrl_get_suite_secret_len(el->suite_id);
445
446 if (!el_setup_keyslot(els, enc_level, QRL_EL_STATE_PROV_NORMAL,
447 ~el->key_epoch & 1, el->ku, secret_len))
448 return 0;
449
450 /* Derive NEXT "quic ku" key (the epoch n+1 secret). */
451 if (!tls13_hkdf_expand_ex(el->libctx, el->propq,
452 el->md,
453 el->ku,
454 quic_v1_ku_label,
455 sizeof(quic_v1_ku_label),
456 NULL, 0,
457 new_ku, secret_len, 1)) {
458 el_teardown_keyslot(els, enc_level, ~el->key_epoch & 1);
459 return 0;
460 }
461
462 memcpy(el->ku, new_ku, secret_len);
463 el->state = QRL_EL_STATE_PROV_NORMAL;
464 return 1;
465 }
466
467 /*
468 * Discards keying material for a given encryption level. Transitions from any
469 * state to DISCARDED.
470 */
ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET * els,uint32_t enc_level)471 void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET *els,
472 uint32_t enc_level)
473 {
474 OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0);
475
476 if (el == NULL || el->state == QRL_EL_STATE_DISCARDED)
477 return;
478
479 if (ossl_qrl_enc_level_set_have_el(els, enc_level) == 1) {
480 ossl_quic_hdr_protector_cleanup(&el->hpr);
481
482 el_teardown_keyslot(els, enc_level, 0);
483 el_teardown_keyslot(els, enc_level, 1);
484 }
485
486 EVP_MD_free(el->md);
487 el->md = NULL;
488 el->state = QRL_EL_STATE_DISCARDED;
489 }
490