Line data Source code
1 : #include "fd_quic_common.h"
2 : #include "fd_quic_retry_private.h"
3 : #include "crypto/fd_quic_crypto_suites.h"
4 : #include "fd_quic_conn_id.h"
5 : #include "fd_quic_enum.h"
6 : #include "fd_quic_private.h"
7 : #include "../../ballet/aes/fd_aes_gcm.h"
8 : #include <assert.h>
9 :
10 : FD_STATIC_ASSERT( FD_QUIC_RETRY_LOCAL_SZ==
11 : FD_QUIC_MAX_FOOTPRINT(retry_hdr) +
12 : sizeof(fd_quic_retry_token_t) +
13 : FD_QUIC_CRYPTO_TAG_SZ,
14 : layout );
15 :
16 : ulong
17 : fd_quic_retry_pseudo(
18 : uchar out[ FD_QUIC_RETRY_MAX_PSEUDO_SZ ],
19 : void const * retry_pkt,
20 : ulong retry_pkt_sz,
21 0 : fd_quic_conn_id_t const * orig_dst_conn_id ) {
22 :
23 0 : if( FD_UNLIKELY( retry_pkt_sz <= FD_QUIC_CRYPTO_TAG_SZ ||
24 0 : retry_pkt_sz > FD_QUIC_RETRY_MAX_SZ ) ) {
25 0 : return FD_QUIC_PARSE_FAIL;
26 0 : }
27 :
28 : /* Retry Pseudo-Packet {
29 : ODCID Length (8),
30 : Original Destination Connection ID (0..160),
31 : Header Form (1) = 1,
32 : Fixed Bit (1) = 1,
33 : Long Packet Type (2) = 3,
34 : Unused (4),
35 : Version (32),
36 : DCID Len (8),
37 : Destination Connection ID (0..160),
38 : SCID Len (8),
39 : Source Connection ID (0..160),
40 : Retry Token (..),
41 : } */
42 :
43 0 : uchar * cur_ptr = out;
44 :
45 0 : cur_ptr[0] = (uchar)orig_dst_conn_id->sz;
46 0 : cur_ptr += 1;
47 :
48 0 : memcpy( cur_ptr, orig_dst_conn_id->conn_id, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz is safe */
49 0 : cur_ptr += orig_dst_conn_id->sz;
50 :
51 0 : ulong stripped_retry_sz = retry_pkt_sz - FD_QUIC_CRYPTO_TAG_SZ; /* >0 */
52 0 : fd_memcpy( cur_ptr, retry_pkt, stripped_retry_sz );
53 0 : cur_ptr += stripped_retry_sz;
54 :
55 0 : return (ulong)cur_ptr - (ulong)out;
56 0 : }
57 :
58 : ulong
59 : fd_quic_retry_create(
60 : uchar retry[FD_QUIC_RETRY_LOCAL_SZ], /* out */
61 : fd_quic_pkt_t const * pkt,
62 : fd_rng_t * rng,
63 : uchar const retry_secret[ FD_QUIC_RETRY_SECRET_SZ ],
64 : uchar const retry_iv[ FD_QUIC_RETRY_IV_SZ ],
65 : fd_quic_conn_id_t const * orig_dst_conn_id,
66 : fd_quic_conn_id_t const * src_conn_id,
67 : ulong new_conn_id,
68 : long expire_at
69 0 : ) {
70 :
71 0 : uchar * out_ptr = retry;
72 0 : ulong out_free = FD_QUIC_RETRY_LOCAL_SZ;
73 :
74 : /* Craft a new Retry packet */
75 :
76 0 : fd_quic_retry_hdr_t retry_hdr[1] = {{
77 0 : .h0 = 0xf0,
78 0 : .version = 1,
79 0 : .dst_conn_id_len = src_conn_id->sz,
80 : // .dst_conn_id (initialized below)
81 0 : .src_conn_id_len = FD_QUIC_CONN_ID_SZ,
82 : // .src_conn_id (initialized below)
83 0 : }};
84 0 : memcpy( retry_hdr->dst_conn_id, src_conn_id->conn_id, FD_QUIC_MAX_CONN_ID_SZ );
85 0 : FD_STORE( ulong, retry_hdr->src_conn_id, new_conn_id );
86 0 : ulong rc = fd_quic_encode_retry_hdr( retry, FD_QUIC_RETRY_LOCAL_SZ, retry_hdr );
87 0 : assert( rc!=FD_QUIC_PARSE_FAIL );
88 0 : if( FD_UNLIKELY( rc==FD_QUIC_PARSE_FAIL ) ) FD_LOG_CRIT(( "fd_quic_encode_retry_hdr failed" ));
89 0 : out_ptr += rc;
90 0 : out_free -= rc;
91 :
92 : /* Craft a new retry token */
93 :
94 0 : fd_quic_retry_token_t * retry_token = fd_type_pun( out_ptr );
95 0 : assert( out_free >= sizeof(fd_quic_retry_token_t) );
96 :
97 0 : uint src_ip4_addr = pkt->ip4->saddr; /* net order */
98 0 : ushort src_udp_port = (ushort)fd_ushort_bswap( (ushort)pkt->udp->net_sport );
99 :
100 0 : fd_quic_retry_data_new( &retry_token->data, rng );
101 0 : fd_quic_retry_data_set_ip4( &retry_token->data, src_ip4_addr );
102 0 : retry_token->data.udp_port = (ushort)src_udp_port;
103 0 : retry_token->data.expire_comp = (ulong)( expire_at >> FD_QUIC_RETRY_EXPIRE_SHIFT );
104 :
105 0 : retry_token->data.rscid = new_conn_id;
106 0 : retry_token->data.odcid_sz = orig_dst_conn_id->sz;
107 0 : memcpy( retry_token->data.odcid, orig_dst_conn_id->conn_id, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz copy ok */
108 :
109 : /* Create the inner integrity tag (non-standard) */
110 :
111 0 : fd_aes_gcm_t aes_gcm[1];
112 0 : fd_quic_retry_token_sign( retry_token, aes_gcm, retry_secret, retry_iv );
113 0 : memset( aes_gcm, 0, sizeof(fd_aes_gcm_t) );
114 :
115 0 : out_ptr += sizeof(fd_quic_retry_token_t);
116 0 : out_free -= sizeof(fd_quic_retry_token_t);
117 :
118 : # if FD_QUIC_DISABLE_CRYPTO
119 :
120 : memset( out_ptr, 0, FD_QUIC_CRYPTO_TAG_SZ );
121 : out_ptr += FD_QUIC_CRYPTO_TAG_SZ;
122 : out_free -= FD_QUIC_CRYPTO_TAG_SZ;
123 :
124 : # else
125 :
126 : /* Create the outer integrity tag (standard) */
127 :
128 0 : ulong retry_unsigned_sz = (ulong)out_ptr - (ulong)retry;
129 :
130 0 : uchar retry_pseudo_buf[ FD_QUIC_RETRY_MAX_PSEUDO_SZ ];
131 0 : ulong retry_pseudo_sz = fd_quic_retry_pseudo( retry_pseudo_buf, retry, retry_unsigned_sz + FD_QUIC_CRYPTO_TAG_SZ, orig_dst_conn_id );
132 0 : if( FD_UNLIKELY( retry_pseudo_sz==FD_QUIC_PARSE_FAIL ) ) FD_LOG_ERR(( "fd_quic_retry_pseudo_hdr failed" ));
133 0 : fd_quic_retry_integrity_tag_sign( aes_gcm, retry_pseudo_buf, retry_pseudo_sz, out_ptr );
134 0 : out_ptr += FD_QUIC_CRYPTO_TAG_SZ;
135 0 : out_free -= FD_QUIC_CRYPTO_TAG_SZ;
136 :
137 0 : # endif /* FD_QUIC_DISABLE_CRYPTO */
138 :
139 0 : assert( (ulong)out_ptr - (ulong)retry <= FD_QUIC_RETRY_LOCAL_SZ );
140 0 : ulong retry_sz = (ulong)out_ptr - (ulong)retry;
141 0 : return retry_sz;
142 0 : }
143 :
144 : int
145 : fd_quic_retry_server_verify(
146 : fd_quic_pkt_t const * pkt,
147 : fd_quic_initial_t const * initial,
148 : fd_quic_conn_id_t * orig_dst_conn_id, /* out */
149 : ulong * retry_src_conn_id, /* out */
150 : uchar const retry_secret[ FD_QUIC_RETRY_SECRET_SZ ],
151 : uchar const retry_iv[ FD_QUIC_RETRY_IV_SZ ],
152 : long now,
153 : long ttl
154 0 : ) {
155 :
156 : /* We told the client to retry with a DCID chosen by us, and we
157 : always use conn IDs of the same size */
158 0 : if( FD_UNLIKELY( initial->dst_conn_id_len != FD_QUIC_CONN_ID_SZ ) ) {
159 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry with weird dst conn ID sz, rejecting" )); )
160 0 : return FD_QUIC_FAILED;
161 0 : }
162 :
163 : /* fd_quic always uses retry tokens of the same size */
164 0 : if( FD_UNLIKELY( initial->token_len != sizeof(fd_quic_retry_token_t) ) ) {
165 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry with weird token sz, rejecting" )); )
166 0 : return FD_QUIC_FAILED;
167 0 : }
168 :
169 0 : fd_quic_retry_token_t const * retry_token = fd_type_pun_const( initial->token );
170 0 : if( FD_UNLIKELY( retry_token->data.odcid_sz > FD_QUIC_MAX_CONN_ID_SZ ) ) {
171 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry token with invalid ODCID or RSCID, rejecting" )); )
172 0 : return FD_QUIC_FAILED;
173 0 : }
174 :
175 0 : fd_aes_gcm_t aes_gcm[1];
176 0 : int vfy_res = fd_quic_retry_token_verify( retry_token, aes_gcm, retry_secret, retry_iv );
177 0 : memset( aes_gcm, 0, sizeof(fd_aes_gcm_t) );
178 :
179 0 : uint pkt_ip4 = pkt->ip4->saddr;
180 0 : uint retry_ip4 = FD_LOAD( uint, retry_token->data.ip6_addr + 12 );
181 0 : int is_ip4 = 0==memcmp( retry_token->data.ip6_addr, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff", 12 );
182 0 : uint pkt_port = fd_ushort_bswap( (ushort)pkt->udp->net_sport );
183 0 : uint retry_port = retry_token->data.udp_port;
184 0 : long expire_at = (long)retry_token->data.expire_comp << FD_QUIC_RETRY_EXPIRE_SHIFT;
185 0 : long expire_before = now + ttl;
186 :
187 0 : int is_match =
188 0 : vfy_res == FD_QUIC_SUCCESS &&
189 0 : is_ip4 &&
190 0 : pkt_ip4 == retry_ip4 &&
191 0 : pkt_port == retry_port &&
192 0 : now < expire_at &&
193 0 : expire_at < expire_before; /* token was issued in the future */
194 :
195 0 : FD_DEBUG(
196 0 : if( vfy_res!=FD_QUIC_SUCCESS ) FD_LOG_DEBUG(( "Invalid Retry Token" ));
197 0 : else if( now >= expire_at ) FD_LOG_DEBUG(( "Expired Retry Token" ));
198 0 : else if( expire_at >= expire_before ) FD_LOG_WARNING(( "Retry Token issued in the future" ));
199 0 : else if( !is_match ) FD_LOG_DEBUG(( "Foreign Retry Token" ));
200 0 : )
201 :
202 0 : orig_dst_conn_id->sz = (uchar)retry_token->data.odcid_sz;
203 0 : memcpy( orig_dst_conn_id->conn_id, retry_token->data.odcid, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz copy ok */
204 0 : *retry_src_conn_id = retry_token->data.rscid;
205 :
206 0 : return is_match ? FD_QUIC_SUCCESS : FD_QUIC_FAILED;
207 0 : }
208 :
209 : int
210 : fd_quic_retry_client_verify( uchar const * const retry_ptr,
211 : ulong const retry_sz,
212 : fd_quic_conn_id_t const * orig_dst_conn_id,
213 : fd_quic_conn_id_t * src_conn_id, /* out */
214 : uchar const ** token,
215 0 : ulong * token_sz ) {
216 :
217 0 : uchar const * cur_ptr = retry_ptr;
218 0 : ulong cur_sz = retry_sz;
219 :
220 : /* Consume retry header */
221 :
222 0 : fd_quic_retry_hdr_t retry_hdr[1] = {{0}};
223 0 : ulong decode_rc = fd_quic_decode_retry_hdr( retry_hdr, cur_ptr, cur_sz );
224 0 : if( FD_UNLIKELY( decode_rc == FD_QUIC_PARSE_FAIL ) ) {
225 0 : FD_DEBUG( FD_LOG_DEBUG(( "fd_quic_decode_retry failed" )); )
226 0 : return FD_QUIC_FAILED;
227 0 : }
228 0 : cur_ptr += decode_rc;
229 0 : cur_sz -= decode_rc;
230 :
231 0 : if( FD_UNLIKELY( retry_hdr->src_conn_id_len == 0 ) ) {
232 : /* something is horribly broken or some attack - ignore packet */
233 0 : FD_DEBUG( FD_LOG_DEBUG(( "Missing source conn ID" )); )
234 0 : return FD_QUIC_FAILED;
235 0 : }
236 :
237 : /* Consume retry token
238 : > A client MUST discard a Retry packet with a zero-length Retry Token field. */
239 :
240 0 : if( FD_UNLIKELY( cur_sz <= FD_QUIC_CRYPTO_TAG_SZ ) ) {
241 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry packet is too small" )); )
242 0 : return FD_QUIC_FAILED;
243 0 : }
244 0 : uchar const * retry_token = cur_ptr;
245 0 : ulong retry_token_sz = cur_sz - FD_QUIC_CRYPTO_TAG_SZ;
246 0 : if( FD_UNLIKELY( retry_token_sz > FD_QUIC_RETRY_MAX_TOKEN_SZ ) ) {
247 0 : FD_DEBUG( FD_LOG_DEBUG(( "Retry token is too long (%lu bytes)", retry_token_sz )); )
248 0 : return FD_QUIC_FAILED;
249 0 : }
250 :
251 0 : cur_ptr += retry_token_sz;
252 0 : cur_sz -= retry_token_sz;
253 :
254 : /* Consume retry integrity tag */
255 :
256 0 : uchar const * retry_tag = cur_ptr;
257 0 : assert( cur_sz==FD_QUIC_CRYPTO_TAG_SZ );
258 0 : cur_ptr += FD_QUIC_CRYPTO_TAG_SZ;
259 0 : cur_sz -= FD_QUIC_CRYPTO_TAG_SZ;
260 :
261 : /* Construct Retry Pseudo Header required to validate Retry Integrity
262 : Tag. TODO This could be made more efficient using streaming
263 : AES-GCM. */
264 :
265 0 : uchar retry_pseudo_buf[ FD_QUIC_RETRY_MAX_PSEUDO_SZ ];
266 0 : ulong retry_pseudo_sz = fd_quic_retry_pseudo( retry_pseudo_buf, retry_ptr, retry_sz, orig_dst_conn_id );
267 0 : if( FD_UNLIKELY( retry_pseudo_sz==FD_QUIC_PARSE_FAIL ) ) FD_LOG_ERR(( "fd_quic_retry_pseudo_hdr failed" ));
268 :
269 : # if FD_QUIC_DISABLE_CRYPTO
270 :
271 : (void)retry_tag; /* skip verification */
272 :
273 : # else
274 :
275 : /* Validate the retry integrity tag
276 :
277 : Retry packets (see Section 17.2.5 of [QUIC-TRANSPORT]) carry a Retry Integrity Tag that
278 : provides two properties: it allows the discarding of packets that have accidentally been
279 : corrupted by the network, and only an entity that observes an Initial packet can send a valid
280 : Retry packet.*/
281 0 : fd_aes_gcm_t aes_gcm[1];
282 0 : int rc = fd_quic_retry_integrity_tag_verify( aes_gcm, retry_pseudo_buf, retry_pseudo_sz, retry_tag );
283 0 : if( FD_UNLIKELY( rc == FD_QUIC_FAILED ) ) {
284 : /* Clients MUST discard Retry packets that have a Retry Integrity Tag that
285 : cannot be validated */
286 0 : FD_DEBUG( FD_LOG_DEBUG(( "Invalid retry integrity tag" )); )
287 0 : return FD_QUIC_FAILED;
288 0 : }
289 :
290 0 : # endif
291 :
292 : /* Set out params */
293 :
294 0 : src_conn_id[0].sz = retry_hdr->src_conn_id_len;
295 0 : memcpy( src_conn_id[0].conn_id, retry_hdr->src_conn_id, FD_QUIC_MAX_CONN_ID_SZ ); /* oversz copy ok */
296 :
297 0 : *token = retry_token;
298 0 : *token_sz = retry_token_sz;
299 :
300 0 : return FD_QUIC_SUCCESS;
301 0 : }
|
