/src/openssl/ssl/quic/quic_wire_pkt.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/err.h> |
11 | | #include "internal/common.h" |
12 | | #include "internal/quic_wire_pkt.h" |
13 | | |
14 | | int ossl_quic_hdr_protector_init(QUIC_HDR_PROTECTOR *hpr, |
15 | | OSSL_LIB_CTX *libctx, |
16 | | const char *propq, |
17 | | uint32_t cipher_id, |
18 | | const unsigned char *quic_hp_key, |
19 | | size_t quic_hp_key_len) |
20 | 0 | { |
21 | 0 | const char *cipher_name = NULL; |
22 | |
|
23 | 0 | switch (cipher_id) { |
24 | 0 | case QUIC_HDR_PROT_CIPHER_AES_128: |
25 | 0 | cipher_name = "AES-128-ECB"; |
26 | 0 | break; |
27 | 0 | case QUIC_HDR_PROT_CIPHER_AES_256: |
28 | 0 | cipher_name = "AES-256-ECB"; |
29 | 0 | break; |
30 | 0 | case QUIC_HDR_PROT_CIPHER_CHACHA: |
31 | 0 | cipher_name = "ChaCha20"; |
32 | 0 | break; |
33 | 0 | default: |
34 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_UNSUPPORTED); |
35 | 0 | return 0; |
36 | 0 | } |
37 | | |
38 | 0 | hpr->cipher_ctx = EVP_CIPHER_CTX_new(); |
39 | 0 | if (hpr->cipher_ctx == NULL) { |
40 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
41 | 0 | return 0; |
42 | 0 | } |
43 | | |
44 | 0 | hpr->cipher = EVP_CIPHER_fetch(libctx, cipher_name, propq); |
45 | 0 | if (hpr->cipher == NULL |
46 | 0 | || quic_hp_key_len != (size_t)EVP_CIPHER_get_key_length(hpr->cipher)) { |
47 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
48 | 0 | goto err; |
49 | 0 | } |
50 | | |
51 | 0 | if (!EVP_CipherInit_ex(hpr->cipher_ctx, hpr->cipher, NULL, |
52 | 0 | quic_hp_key, NULL, 1)) { |
53 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
54 | 0 | goto err; |
55 | 0 | } |
56 | | |
57 | 0 | hpr->libctx = libctx; |
58 | 0 | hpr->propq = propq; |
59 | 0 | hpr->cipher_id = cipher_id; |
60 | 0 | return 1; |
61 | | |
62 | 0 | err: |
63 | 0 | ossl_quic_hdr_protector_cleanup(hpr); |
64 | 0 | return 0; |
65 | 0 | } |
66 | | |
67 | | void ossl_quic_hdr_protector_cleanup(QUIC_HDR_PROTECTOR *hpr) |
68 | 0 | { |
69 | 0 | EVP_CIPHER_CTX_free(hpr->cipher_ctx); |
70 | 0 | hpr->cipher_ctx = NULL; |
71 | |
|
72 | 0 | EVP_CIPHER_free(hpr->cipher); |
73 | 0 | hpr->cipher = NULL; |
74 | 0 | } |
75 | | |
76 | | static int hdr_generate_mask(QUIC_HDR_PROTECTOR *hpr, |
77 | | const unsigned char *sample, size_t sample_len, |
78 | | unsigned char *mask) |
79 | 0 | { |
80 | 0 | int l = 0; |
81 | 0 | unsigned char dst[16]; |
82 | 0 | static const unsigned char zeroes[5] = {0}; |
83 | 0 | size_t i; |
84 | |
|
85 | 0 | if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_128 |
86 | 0 | || hpr->cipher_id == QUIC_HDR_PROT_CIPHER_AES_256) { |
87 | 0 | if (sample_len < 16) { |
88 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
89 | 0 | return 0; |
90 | 0 | } |
91 | | |
92 | 0 | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, NULL, 1) |
93 | 0 | || !EVP_CipherUpdate(hpr->cipher_ctx, dst, &l, sample, 16)) { |
94 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
95 | 0 | return 0; |
96 | 0 | } |
97 | | |
98 | 0 | for (i = 0; i < 5; ++i) |
99 | 0 | mask[i] = dst[i]; |
100 | 0 | } else if (hpr->cipher_id == QUIC_HDR_PROT_CIPHER_CHACHA) { |
101 | 0 | if (sample_len < 16) { |
102 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
103 | 0 | return 0; |
104 | 0 | } |
105 | | |
106 | 0 | if (!EVP_CipherInit_ex(hpr->cipher_ctx, NULL, NULL, NULL, sample, 1) |
107 | 0 | || !EVP_CipherUpdate(hpr->cipher_ctx, mask, &l, |
108 | 0 | zeroes, sizeof(zeroes))) { |
109 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
110 | 0 | return 0; |
111 | 0 | } |
112 | 0 | } else { |
113 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
114 | 0 | assert(0); |
115 | 0 | return 0; |
116 | 0 | } |
117 | | |
118 | 0 | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
119 | | /* No matter what we did above we use the same mask in fuzzing mode */ |
120 | 0 | memset(mask, 0, 5); |
121 | 0 | #endif |
122 | |
|
123 | 0 | return 1; |
124 | 0 | } |
125 | | |
126 | | int ossl_quic_hdr_protector_decrypt(QUIC_HDR_PROTECTOR *hpr, |
127 | | QUIC_PKT_HDR_PTRS *ptrs) |
128 | 0 | { |
129 | 0 | return ossl_quic_hdr_protector_decrypt_fields(hpr, |
130 | 0 | ptrs->raw_sample, |
131 | 0 | ptrs->raw_sample_len, |
132 | 0 | ptrs->raw_start, |
133 | 0 | ptrs->raw_pn); |
134 | 0 | } |
135 | | |
136 | | int ossl_quic_hdr_protector_decrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
137 | | const unsigned char *sample, |
138 | | size_t sample_len, |
139 | | unsigned char *first_byte, |
140 | | unsigned char *pn_bytes) |
141 | 0 | { |
142 | 0 | unsigned char mask[5], pn_len, i; |
143 | |
|
144 | 0 | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
145 | 0 | return 0; |
146 | | |
147 | 0 | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
148 | 0 | pn_len = (*first_byte & 0x3) + 1; |
149 | |
|
150 | 0 | for (i = 0; i < pn_len; ++i) |
151 | 0 | pn_bytes[i] ^= mask[i + 1]; |
152 | |
|
153 | 0 | return 1; |
154 | 0 | } |
155 | | |
156 | | int ossl_quic_hdr_protector_encrypt(QUIC_HDR_PROTECTOR *hpr, |
157 | | QUIC_PKT_HDR_PTRS *ptrs) |
158 | 0 | { |
159 | 0 | return ossl_quic_hdr_protector_encrypt_fields(hpr, |
160 | 0 | ptrs->raw_sample, |
161 | 0 | ptrs->raw_sample_len, |
162 | 0 | ptrs->raw_start, |
163 | 0 | ptrs->raw_pn); |
164 | 0 | } |
165 | | |
166 | | int ossl_quic_hdr_protector_encrypt_fields(QUIC_HDR_PROTECTOR *hpr, |
167 | | const unsigned char *sample, |
168 | | size_t sample_len, |
169 | | unsigned char *first_byte, |
170 | | unsigned char *pn_bytes) |
171 | 0 | { |
172 | 0 | unsigned char mask[5], pn_len, i; |
173 | |
|
174 | 0 | if (!hdr_generate_mask(hpr, sample, sample_len, mask)) |
175 | 0 | return 0; |
176 | | |
177 | 0 | pn_len = (*first_byte & 0x3) + 1; |
178 | 0 | for (i = 0; i < pn_len; ++i) |
179 | 0 | pn_bytes[i] ^= mask[i + 1]; |
180 | |
|
181 | 0 | *first_byte ^= mask[0] & ((*first_byte & 0x80) != 0 ? 0xf : 0x1f); |
182 | 0 | return 1; |
183 | 0 | } |
184 | | |
185 | | int ossl_quic_wire_decode_pkt_hdr(PACKET *pkt, |
186 | | size_t short_conn_id_len, |
187 | | int partial, |
188 | | int nodata, |
189 | | QUIC_PKT_HDR *hdr, |
190 | | QUIC_PKT_HDR_PTRS *ptrs) |
191 | 0 | { |
192 | 0 | unsigned int b0; |
193 | 0 | unsigned char *pn = NULL; |
194 | 0 | size_t l = PACKET_remaining(pkt); |
195 | |
|
196 | 0 | if (ptrs != NULL) { |
197 | 0 | ptrs->raw_start = (unsigned char *)PACKET_data(pkt); |
198 | 0 | ptrs->raw_sample = NULL; |
199 | 0 | ptrs->raw_sample_len = 0; |
200 | 0 | ptrs->raw_pn = NULL; |
201 | 0 | } |
202 | |
|
203 | 0 | if (l < QUIC_MIN_VALID_PKT_LEN |
204 | 0 | || !PACKET_get_1(pkt, &b0)) |
205 | 0 | return 0; |
206 | | |
207 | 0 | hdr->partial = partial; |
208 | 0 | hdr->unused = 0; |
209 | 0 | hdr->reserved = 0; |
210 | |
|
211 | 0 | if ((b0 & 0x80) == 0) { |
212 | | /* Short header. */ |
213 | 0 | if (short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
214 | 0 | return 0; |
215 | | |
216 | 0 | if ((b0 & 0x40) == 0 /* fixed bit not set? */ |
217 | 0 | || l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
218 | 0 | return 0; |
219 | | |
220 | 0 | hdr->type = QUIC_PKT_TYPE_1RTT; |
221 | 0 | hdr->fixed = 1; |
222 | 0 | hdr->spin_bit = (b0 & 0x20) != 0; |
223 | 0 | if (partial) { |
224 | 0 | hdr->key_phase = 0; /* protected, zero for now */ |
225 | 0 | hdr->pn_len = 0; /* protected, zero for now */ |
226 | 0 | hdr->reserved = 0; /* protected, zero for now */ |
227 | 0 | } else { |
228 | 0 | hdr->key_phase = (b0 & 0x04) != 0; |
229 | 0 | hdr->pn_len = (b0 & 0x03) + 1; |
230 | 0 | hdr->reserved = (b0 & 0x18) >> 3; |
231 | 0 | } |
232 | | |
233 | | /* Copy destination connection ID field to header structure. */ |
234 | 0 | if (!PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, short_conn_id_len)) |
235 | 0 | return 0; |
236 | | |
237 | 0 | hdr->dst_conn_id.id_len = (unsigned char)short_conn_id_len; |
238 | | |
239 | | /* |
240 | | * Skip over the PN. If this is a partial decode, the PN length field |
241 | | * currently has header protection applied. Thus we do not know the |
242 | | * length of the PN but we are allowed to assume it is 4 bytes long at |
243 | | * this stage. |
244 | | */ |
245 | 0 | memset(hdr->pn, 0, sizeof(hdr->pn)); |
246 | 0 | pn = (unsigned char *)PACKET_data(pkt); |
247 | 0 | if (partial) { |
248 | 0 | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
249 | 0 | return 0; |
250 | 0 | } else { |
251 | 0 | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
252 | 0 | return 0; |
253 | 0 | } |
254 | | |
255 | | /* Fields not used in short-header packets. */ |
256 | 0 | hdr->version = 0; |
257 | 0 | hdr->src_conn_id.id_len = 0; |
258 | 0 | hdr->token = NULL; |
259 | 0 | hdr->token_len = 0; |
260 | | |
261 | | /* |
262 | | * Short-header packets always come last in a datagram, the length |
263 | | * is the remainder of the buffer. |
264 | | */ |
265 | 0 | hdr->len = PACKET_remaining(pkt); |
266 | 0 | hdr->data = PACKET_data(pkt); |
267 | | |
268 | | /* |
269 | | * Skip over payload. Since this is a short header packet, which cannot |
270 | | * be followed by any other kind of packet, this advances us to the end |
271 | | * of the datagram. |
272 | | */ |
273 | 0 | if (!PACKET_forward(pkt, hdr->len)) |
274 | 0 | return 0; |
275 | 0 | } else { |
276 | | /* Long header. */ |
277 | 0 | unsigned long version; |
278 | 0 | unsigned int dst_conn_id_len, src_conn_id_len, raw_type; |
279 | |
|
280 | 0 | if (!PACKET_get_net_4(pkt, &version)) |
281 | 0 | return 0; |
282 | | |
283 | | /* |
284 | | * All QUIC packets must have the fixed bit set, except exceptionally |
285 | | * for Version Negotiation packets. |
286 | | */ |
287 | 0 | if (version != 0 && (b0 & 0x40) == 0) |
288 | 0 | return 0; |
289 | | |
290 | 0 | if (!PACKET_get_1(pkt, &dst_conn_id_len) |
291 | 0 | || dst_conn_id_len > QUIC_MAX_CONN_ID_LEN |
292 | 0 | || !PACKET_copy_bytes(pkt, hdr->dst_conn_id.id, dst_conn_id_len) |
293 | 0 | || !PACKET_get_1(pkt, &src_conn_id_len) |
294 | 0 | || src_conn_id_len > QUIC_MAX_CONN_ID_LEN |
295 | 0 | || !PACKET_copy_bytes(pkt, hdr->src_conn_id.id, src_conn_id_len)) |
296 | 0 | return 0; |
297 | | |
298 | 0 | hdr->version = (uint32_t)version; |
299 | 0 | hdr->dst_conn_id.id_len = (unsigned char)dst_conn_id_len; |
300 | 0 | hdr->src_conn_id.id_len = (unsigned char)src_conn_id_len; |
301 | |
|
302 | 0 | if (version == 0) { |
303 | | /* |
304 | | * Version negotiation packet. Version negotiation packets are |
305 | | * identified by a version field of 0 and the type bits in the first |
306 | | * byte are ignored (they may take any value, and we ignore them). |
307 | | */ |
308 | 0 | hdr->type = QUIC_PKT_TYPE_VERSION_NEG; |
309 | 0 | hdr->fixed = (b0 & 0x40) != 0; |
310 | |
|
311 | 0 | hdr->data = PACKET_data(pkt); |
312 | 0 | hdr->len = PACKET_remaining(pkt); |
313 | | |
314 | | /* |
315 | | * Version negotiation packets must contain an array of u32s, so it |
316 | | * is invalid for their payload length to not be divisible by 4. |
317 | | */ |
318 | 0 | if ((hdr->len % 4) != 0) |
319 | 0 | return 0; |
320 | | |
321 | | /* Version negotiation packets are always fully decoded. */ |
322 | 0 | hdr->partial = 0; |
323 | | |
324 | | /* Fields not used in version negotiation packets. */ |
325 | 0 | hdr->pn_len = 0; |
326 | 0 | hdr->spin_bit = 0; |
327 | 0 | hdr->key_phase = 0; |
328 | 0 | hdr->token = NULL; |
329 | 0 | hdr->token_len = 0; |
330 | 0 | memset(hdr->pn, 0, sizeof(hdr->pn)); |
331 | |
|
332 | 0 | if (!PACKET_forward(pkt, hdr->len)) |
333 | 0 | return 0; |
334 | 0 | } else if (version != QUIC_VERSION_1) { |
335 | | /* Unknown version, do not decode. */ |
336 | 0 | return 0; |
337 | 0 | } else { |
338 | 0 | if (l < QUIC_MIN_VALID_PKT_LEN_CRYPTO) |
339 | 0 | return 0; |
340 | | |
341 | | /* Get long packet type and decode to QUIC_PKT_TYPE_*. */ |
342 | 0 | raw_type = ((b0 >> 4) & 0x3); |
343 | |
|
344 | 0 | switch (raw_type) { |
345 | 0 | case 0: |
346 | 0 | hdr->type = QUIC_PKT_TYPE_INITIAL; |
347 | 0 | break; |
348 | 0 | case 1: |
349 | 0 | hdr->type = QUIC_PKT_TYPE_0RTT; |
350 | 0 | break; |
351 | 0 | case 2: |
352 | 0 | hdr->type = QUIC_PKT_TYPE_HANDSHAKE; |
353 | 0 | break; |
354 | 0 | case 3: |
355 | 0 | hdr->type = QUIC_PKT_TYPE_RETRY; |
356 | 0 | break; |
357 | 0 | } |
358 | | |
359 | 0 | hdr->pn_len = 0; |
360 | 0 | hdr->fixed = 1; |
361 | | |
362 | | /* Fields not used in long-header packets. */ |
363 | 0 | hdr->spin_bit = 0; |
364 | 0 | hdr->key_phase = 0; |
365 | |
|
366 | 0 | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
367 | | /* Initial packet. */ |
368 | 0 | uint64_t token_len; |
369 | |
|
370 | 0 | if (!PACKET_get_quic_vlint(pkt, &token_len) |
371 | 0 | || token_len > SIZE_MAX |
372 | 0 | || !PACKET_get_bytes(pkt, &hdr->token, (size_t)token_len)) |
373 | 0 | return 0; |
374 | | |
375 | 0 | hdr->token_len = (size_t)token_len; |
376 | 0 | if (token_len == 0) |
377 | 0 | hdr->token = NULL; |
378 | 0 | } else { |
379 | 0 | hdr->token = NULL; |
380 | 0 | hdr->token_len = 0; |
381 | 0 | } |
382 | | |
383 | 0 | if (hdr->type == QUIC_PKT_TYPE_RETRY) { |
384 | | /* Retry packet. */ |
385 | 0 | hdr->data = PACKET_data(pkt); |
386 | 0 | hdr->len = PACKET_remaining(pkt); |
387 | | |
388 | | /* Retry packets are always fully decoded. */ |
389 | 0 | hdr->partial = 0; |
390 | | |
391 | | /* Unused bits in Retry header. */ |
392 | 0 | hdr->unused = b0 & 0x0f; |
393 | | |
394 | | /* Fields not used in Retry packets. */ |
395 | 0 | memset(hdr->pn, 0, sizeof(hdr->pn)); |
396 | |
|
397 | 0 | if (!PACKET_forward(pkt, hdr->len)) |
398 | 0 | return 0; |
399 | 0 | } else { |
400 | | /* Initial, 0-RTT or Handshake packet. */ |
401 | 0 | uint64_t len; |
402 | |
|
403 | 0 | hdr->pn_len = partial ? 0 : ((b0 & 0x03) + 1); |
404 | 0 | hdr->reserved = partial ? 0 : ((b0 & 0x0C) >> 2); |
405 | |
|
406 | 0 | if (!PACKET_get_quic_vlint(pkt, &len) |
407 | 0 | || len < sizeof(hdr->pn)) |
408 | 0 | return 0; |
409 | | |
410 | 0 | if (!nodata && len > PACKET_remaining(pkt)) |
411 | 0 | return 0; |
412 | | |
413 | | /* |
414 | | * Skip over the PN. If this is a partial decode, the PN length |
415 | | * field currently has header protection applied. Thus we do not |
416 | | * know the length of the PN but we are allowed to assume it is |
417 | | * 4 bytes long at this stage. |
418 | | */ |
419 | 0 | pn = (unsigned char *)PACKET_data(pkt); |
420 | 0 | memset(hdr->pn, 0, sizeof(hdr->pn)); |
421 | 0 | if (partial) { |
422 | 0 | if (!PACKET_forward(pkt, sizeof(hdr->pn))) |
423 | 0 | return 0; |
424 | | |
425 | 0 | hdr->len = (size_t)(len - sizeof(hdr->pn)); |
426 | 0 | } else { |
427 | 0 | if (!PACKET_copy_bytes(pkt, hdr->pn, hdr->pn_len)) |
428 | 0 | return 0; |
429 | | |
430 | 0 | hdr->len = (size_t)(len - hdr->pn_len); |
431 | 0 | } |
432 | | |
433 | 0 | if (nodata) { |
434 | 0 | hdr->data = NULL; |
435 | 0 | } else { |
436 | 0 | hdr->data = PACKET_data(pkt); |
437 | | |
438 | | /* Skip over packet body. */ |
439 | 0 | if (!PACKET_forward(pkt, hdr->len)) |
440 | 0 | return 0; |
441 | 0 | } |
442 | 0 | } |
443 | 0 | } |
444 | 0 | } |
445 | | |
446 | 0 | if (ptrs != NULL) { |
447 | 0 | ptrs->raw_pn = pn; |
448 | 0 | if (pn != NULL) { |
449 | 0 | ptrs->raw_sample = pn + 4; |
450 | 0 | ptrs->raw_sample_len = PACKET_end(pkt) - ptrs->raw_sample; |
451 | 0 | } |
452 | 0 | } |
453 | |
|
454 | 0 | return 1; |
455 | 0 | } |
456 | | |
457 | | int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, |
458 | | size_t short_conn_id_len, |
459 | | const QUIC_PKT_HDR *hdr, |
460 | | QUIC_PKT_HDR_PTRS *ptrs) |
461 | 0 | { |
462 | 0 | unsigned char b0; |
463 | 0 | size_t off_start, off_sample, off_pn; |
464 | 0 | unsigned char *start = WPACKET_get_curr(pkt); |
465 | |
|
466 | 0 | if (!WPACKET_get_total_written(pkt, &off_start)) |
467 | 0 | return 0; |
468 | | |
469 | 0 | if (ptrs != NULL) { |
470 | | /* ptrs would not be stable on non-static WPACKET */ |
471 | 0 | if (!ossl_assert(pkt->staticbuf != NULL)) |
472 | 0 | return 0; |
473 | 0 | ptrs->raw_start = NULL; |
474 | 0 | ptrs->raw_sample = NULL; |
475 | 0 | ptrs->raw_sample_len = 0; |
476 | 0 | ptrs->raw_pn = 0; |
477 | 0 | } |
478 | | |
479 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
480 | 0 | if (hdr->partial |
481 | 0 | || (hdr->type == QUIC_PKT_TYPE_1RTT |
482 | 0 | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
483 | 0 | return 0; |
484 | | |
485 | 0 | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
486 | | /* Short header. */ |
487 | | |
488 | | /* |
489 | | * Cannot serialize a header whose DCID length is wrong, or with an |
490 | | * invalid PN length. |
491 | | */ |
492 | 0 | if (hdr->dst_conn_id.id_len != short_conn_id_len |
493 | 0 | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
494 | 0 | || hdr->pn_len < 1 || hdr->pn_len > 4) |
495 | 0 | return 0; |
496 | | |
497 | 0 | b0 = (hdr->spin_bit << 5) |
498 | 0 | | (hdr->key_phase << 2) |
499 | 0 | | (hdr->pn_len - 1) |
500 | 0 | | (hdr->reserved << 3) |
501 | 0 | | 0x40; /* fixed bit */ |
502 | |
|
503 | 0 | if (!WPACKET_put_bytes_u8(pkt, b0) |
504 | 0 | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, short_conn_id_len) |
505 | 0 | || !WPACKET_get_total_written(pkt, &off_pn) |
506 | 0 | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
507 | 0 | return 0; |
508 | 0 | } else { |
509 | | /* Long header. */ |
510 | 0 | unsigned int raw_type; |
511 | |
|
512 | 0 | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
513 | 0 | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
514 | 0 | return 0; |
515 | | |
516 | 0 | if (ossl_quic_pkt_type_has_pn(hdr->type) |
517 | 0 | && (hdr->pn_len < 1 || hdr->pn_len > 4)) |
518 | 0 | return 0; |
519 | | |
520 | 0 | switch (hdr->type) { |
521 | 0 | case QUIC_PKT_TYPE_VERSION_NEG: |
522 | 0 | if (hdr->version != 0) |
523 | 0 | return 0; |
524 | | |
525 | | /* Version negotiation packets use zero for the type bits */ |
526 | 0 | raw_type = 0; |
527 | 0 | break; |
528 | | |
529 | 0 | case QUIC_PKT_TYPE_INITIAL: raw_type = 0; break; |
530 | 0 | case QUIC_PKT_TYPE_0RTT: raw_type = 1; break; |
531 | 0 | case QUIC_PKT_TYPE_HANDSHAKE: raw_type = 2; break; |
532 | 0 | case QUIC_PKT_TYPE_RETRY: raw_type = 3; break; |
533 | 0 | default: |
534 | 0 | return 0; |
535 | 0 | } |
536 | | |
537 | 0 | b0 = (raw_type << 4) | 0x80; /* long */ |
538 | 0 | if (hdr->type != QUIC_PKT_TYPE_VERSION_NEG || hdr->fixed) |
539 | 0 | b0 |= 0x40; /* fixed */ |
540 | 0 | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
541 | 0 | b0 |= hdr->pn_len - 1; |
542 | 0 | b0 |= (hdr->reserved << 2); |
543 | 0 | } |
544 | 0 | if (hdr->type == QUIC_PKT_TYPE_RETRY) |
545 | 0 | b0 |= hdr->unused; |
546 | |
|
547 | 0 | if (!WPACKET_put_bytes_u8(pkt, b0) |
548 | 0 | || !WPACKET_put_bytes_u32(pkt, hdr->version) |
549 | 0 | || !WPACKET_put_bytes_u8(pkt, hdr->dst_conn_id.id_len) |
550 | 0 | || !WPACKET_memcpy(pkt, hdr->dst_conn_id.id, |
551 | 0 | hdr->dst_conn_id.id_len) |
552 | 0 | || !WPACKET_put_bytes_u8(pkt, hdr->src_conn_id.id_len) |
553 | 0 | || !WPACKET_memcpy(pkt, hdr->src_conn_id.id, |
554 | 0 | hdr->src_conn_id.id_len)) |
555 | 0 | return 0; |
556 | | |
557 | 0 | if (hdr->type == QUIC_PKT_TYPE_VERSION_NEG |
558 | 0 | || hdr->type == QUIC_PKT_TYPE_RETRY) { |
559 | 0 | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
560 | 0 | return 0; |
561 | | |
562 | 0 | return 1; |
563 | 0 | } |
564 | | |
565 | 0 | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
566 | 0 | if (!WPACKET_quic_write_vlint(pkt, hdr->token_len) |
567 | 0 | || !WPACKET_memcpy(pkt, hdr->token, hdr->token_len)) |
568 | 0 | return 0; |
569 | 0 | } |
570 | | |
571 | 0 | if (!WPACKET_quic_write_vlint(pkt, hdr->len + hdr->pn_len) |
572 | 0 | || !WPACKET_get_total_written(pkt, &off_pn) |
573 | 0 | || !WPACKET_memcpy(pkt, hdr->pn, hdr->pn_len)) |
574 | 0 | return 0; |
575 | 0 | } |
576 | | |
577 | 0 | if (hdr->len > 0 && !WPACKET_reserve_bytes(pkt, hdr->len, NULL)) |
578 | 0 | return 0; |
579 | | |
580 | 0 | off_sample = off_pn + 4; |
581 | |
|
582 | 0 | if (ptrs != NULL) { |
583 | 0 | ptrs->raw_start = start; |
584 | 0 | ptrs->raw_sample = start + (off_sample - off_start); |
585 | 0 | ptrs->raw_sample_len |
586 | 0 | = WPACKET_get_curr(pkt) + hdr->len - ptrs->raw_sample; |
587 | 0 | ptrs->raw_pn = start + (off_pn - off_start); |
588 | 0 | } |
589 | |
|
590 | 0 | return 1; |
591 | 0 | } |
592 | | |
593 | | int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, |
594 | | const QUIC_PKT_HDR *hdr) |
595 | 0 | { |
596 | 0 | size_t len = 0, enclen; |
597 | | |
598 | | /* Cannot serialize a partial header, or one whose DCID length is wrong. */ |
599 | 0 | if (hdr->partial |
600 | 0 | || (hdr->type == QUIC_PKT_TYPE_1RTT |
601 | 0 | && hdr->dst_conn_id.id_len != short_conn_id_len)) |
602 | 0 | return 0; |
603 | | |
604 | 0 | if (hdr->type == QUIC_PKT_TYPE_1RTT) { |
605 | | /* Short header. */ |
606 | | |
607 | | /* |
608 | | * Cannot serialize a header whose DCID length is wrong, or with an |
609 | | * invalid PN length. |
610 | | */ |
611 | 0 | if (hdr->dst_conn_id.id_len != short_conn_id_len |
612 | 0 | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN |
613 | 0 | || hdr->pn_len < 1 || hdr->pn_len > 4) |
614 | 0 | return 0; |
615 | | |
616 | 0 | return 1 + short_conn_id_len + hdr->pn_len; |
617 | 0 | } else { |
618 | | /* Long header. */ |
619 | 0 | if (hdr->dst_conn_id.id_len > QUIC_MAX_CONN_ID_LEN |
620 | 0 | || hdr->src_conn_id.id_len > QUIC_MAX_CONN_ID_LEN) |
621 | 0 | return 0; |
622 | | |
623 | 0 | len += 1 /* Initial byte */ + 4 /* Version */ |
624 | 0 | + 1 + hdr->dst_conn_id.id_len /* DCID Len, DCID */ |
625 | 0 | + 1 + hdr->src_conn_id.id_len /* SCID Len, SCID */ |
626 | 0 | ; |
627 | |
|
628 | 0 | if (ossl_quic_pkt_type_has_pn(hdr->type)) { |
629 | 0 | if (hdr->pn_len < 1 || hdr->pn_len > 4) |
630 | 0 | return 0; |
631 | | |
632 | 0 | len += hdr->pn_len; |
633 | 0 | } |
634 | | |
635 | 0 | if (hdr->type == QUIC_PKT_TYPE_INITIAL) { |
636 | 0 | enclen = ossl_quic_vlint_encode_len(hdr->token_len); |
637 | 0 | if (!enclen) |
638 | 0 | return 0; |
639 | | |
640 | 0 | len += enclen + hdr->token_len; |
641 | 0 | } |
642 | | |
643 | 0 | if (!ossl_quic_pkt_type_must_be_last(hdr->type)) { |
644 | 0 | enclen = ossl_quic_vlint_encode_len(hdr->len + hdr->pn_len); |
645 | 0 | if (!enclen) |
646 | 0 | return 0; |
647 | | |
648 | 0 | len += enclen; |
649 | 0 | } |
650 | | |
651 | 0 | return len; |
652 | 0 | } |
653 | 0 | } |
654 | | |
655 | | int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, |
656 | | size_t buf_len, |
657 | | size_t short_conn_id_len, |
658 | | QUIC_CONN_ID *dst_conn_id) |
659 | 0 | { |
660 | 0 | unsigned char b0; |
661 | 0 | size_t blen; |
662 | |
|
663 | 0 | if (buf_len < QUIC_MIN_VALID_PKT_LEN |
664 | 0 | || short_conn_id_len > QUIC_MAX_CONN_ID_LEN) |
665 | 0 | return 0; |
666 | | |
667 | 0 | b0 = buf[0]; |
668 | 0 | if ((b0 & 0x80) != 0) { |
669 | | /* |
670 | | * Long header. We need 6 bytes (initial byte, 4 version bytes, DCID |
671 | | * length byte to begin with). This is covered by the buf_len test |
672 | | * above. |
673 | | */ |
674 | | |
675 | | /* |
676 | | * If the version field is non-zero (meaning that this is not a Version |
677 | | * Negotiation packet), the fixed bit must be set. |
678 | | */ |
679 | 0 | if ((buf[1] || buf[2] || buf[3] || buf[4]) && (b0 & 0x40) == 0) |
680 | 0 | return 0; |
681 | | |
682 | 0 | blen = (size_t)buf[5]; /* DCID Length */ |
683 | 0 | if (blen > QUIC_MAX_CONN_ID_LEN |
684 | 0 | || buf_len < QUIC_MIN_VALID_PKT_LEN + blen) |
685 | 0 | return 0; |
686 | | |
687 | 0 | dst_conn_id->id_len = (unsigned char)blen; |
688 | 0 | memcpy(dst_conn_id->id, buf + 6, blen); |
689 | 0 | return 1; |
690 | 0 | } else { |
691 | | /* Short header. */ |
692 | 0 | if ((b0 & 0x40) == 0) |
693 | | /* Fixed bit not set, not a valid QUIC packet header. */ |
694 | 0 | return 0; |
695 | | |
696 | 0 | if (buf_len < QUIC_MIN_VALID_PKT_LEN_CRYPTO + short_conn_id_len) |
697 | 0 | return 0; |
698 | | |
699 | 0 | dst_conn_id->id_len = (unsigned char)short_conn_id_len; |
700 | 0 | memcpy(dst_conn_id->id, buf + 1, short_conn_id_len); |
701 | 0 | return 1; |
702 | 0 | } |
703 | 0 | } |
704 | | |
705 | | int ossl_quic_wire_decode_pkt_hdr_pn(const unsigned char *enc_pn, |
706 | | size_t enc_pn_len, |
707 | | QUIC_PN largest_pn, |
708 | | QUIC_PN *res_pn) |
709 | 0 | { |
710 | 0 | int64_t expected_pn, truncated_pn, candidate_pn, pn_win, pn_hwin, pn_mask; |
711 | |
|
712 | 0 | switch (enc_pn_len) { |
713 | 0 | case 1: |
714 | 0 | truncated_pn = enc_pn[0]; |
715 | 0 | break; |
716 | 0 | case 2: |
717 | 0 | truncated_pn = ((QUIC_PN)enc_pn[0] << 8) |
718 | 0 | | (QUIC_PN)enc_pn[1]; |
719 | 0 | break; |
720 | 0 | case 3: |
721 | 0 | truncated_pn = ((QUIC_PN)enc_pn[0] << 16) |
722 | 0 | | ((QUIC_PN)enc_pn[1] << 8) |
723 | 0 | | (QUIC_PN)enc_pn[2]; |
724 | 0 | break; |
725 | 0 | case 4: |
726 | 0 | truncated_pn = ((QUIC_PN)enc_pn[0] << 24) |
727 | 0 | | ((QUIC_PN)enc_pn[1] << 16) |
728 | 0 | | ((QUIC_PN)enc_pn[2] << 8) |
729 | 0 | | (QUIC_PN)enc_pn[3]; |
730 | 0 | break; |
731 | 0 | default: |
732 | 0 | return 0; |
733 | 0 | } |
734 | | |
735 | | /* Implemented as per RFC 9000 Section A.3. */ |
736 | 0 | expected_pn = largest_pn + 1; |
737 | 0 | pn_win = ((int64_t)1) << (enc_pn_len * 8); |
738 | 0 | pn_hwin = pn_win / 2; |
739 | 0 | pn_mask = pn_win - 1; |
740 | 0 | candidate_pn = (expected_pn & ~pn_mask) | truncated_pn; |
741 | 0 | if (candidate_pn <= expected_pn - pn_hwin |
742 | 0 | && candidate_pn < (((int64_t)1) << 62) - pn_win) |
743 | 0 | *res_pn = candidate_pn + pn_win; |
744 | 0 | else if (candidate_pn > expected_pn + pn_hwin |
745 | 0 | && candidate_pn >= pn_win) |
746 | 0 | *res_pn = candidate_pn - pn_win; |
747 | 0 | else |
748 | 0 | *res_pn = candidate_pn; |
749 | 0 | return 1; |
750 | 0 | } |
751 | | |
752 | | /* From RFC 9000 Section A.2. Simplified implementation. */ |
753 | | int ossl_quic_wire_determine_pn_len(QUIC_PN pn, |
754 | | QUIC_PN largest_acked) |
755 | 0 | { |
756 | 0 | uint64_t num_unacked |
757 | 0 | = (largest_acked == QUIC_PN_INVALID) ? pn + 1 : pn - largest_acked; |
758 | | |
759 | | /* |
760 | | * num_unacked \in [ 0, 2** 7] -> 1 byte |
761 | | * num_unacked \in (2** 7, 2**15] -> 2 bytes |
762 | | * num_unacked \in (2**15, 2**23] -> 3 bytes |
763 | | * num_unacked \in (2**23, ] -> 4 bytes |
764 | | */ |
765 | |
|
766 | 0 | if (num_unacked <= (1U<<7)) return 1; |
767 | 0 | if (num_unacked <= (1U<<15)) return 2; |
768 | 0 | if (num_unacked <= (1U<<23)) return 3; |
769 | 0 | return 4; |
770 | 0 | } |
771 | | |
772 | | int ossl_quic_wire_encode_pkt_hdr_pn(QUIC_PN pn, |
773 | | unsigned char *enc_pn, |
774 | | size_t enc_pn_len) |
775 | 0 | { |
776 | 0 | switch (enc_pn_len) { |
777 | 0 | case 1: |
778 | 0 | enc_pn[0] = (unsigned char)pn; |
779 | 0 | break; |
780 | 0 | case 2: |
781 | 0 | enc_pn[1] = (unsigned char)pn; |
782 | 0 | enc_pn[0] = (unsigned char)(pn >> 8); |
783 | 0 | break; |
784 | 0 | case 3: |
785 | 0 | enc_pn[2] = (unsigned char)pn; |
786 | 0 | enc_pn[1] = (unsigned char)(pn >> 8); |
787 | 0 | enc_pn[0] = (unsigned char)(pn >> 16); |
788 | 0 | break; |
789 | 0 | case 4: |
790 | 0 | enc_pn[3] = (unsigned char)pn; |
791 | 0 | enc_pn[2] = (unsigned char)(pn >> 8); |
792 | 0 | enc_pn[1] = (unsigned char)(pn >> 16); |
793 | 0 | enc_pn[0] = (unsigned char)(pn >> 24); |
794 | 0 | break; |
795 | 0 | default: |
796 | 0 | return 0; |
797 | 0 | } |
798 | | |
799 | 0 | return 1; |
800 | 0 | } |
801 | | |
802 | | int ossl_quic_validate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
803 | | const char *propq, |
804 | | const QUIC_PKT_HDR *hdr, |
805 | | const QUIC_CONN_ID *client_initial_dcid) |
806 | 0 | { |
807 | 0 | unsigned char expected_tag[QUIC_RETRY_INTEGRITY_TAG_LEN]; |
808 | 0 | const unsigned char *actual_tag; |
809 | |
|
810 | 0 | if (hdr == NULL || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN) |
811 | 0 | return 0; |
812 | | |
813 | 0 | if (!ossl_quic_calculate_retry_integrity_tag(libctx, propq, |
814 | 0 | hdr, client_initial_dcid, |
815 | 0 | expected_tag)) |
816 | 0 | return 0; |
817 | | |
818 | 0 | actual_tag = hdr->data + hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN; |
819 | |
|
820 | 0 | return !CRYPTO_memcmp(expected_tag, actual_tag, |
821 | 0 | QUIC_RETRY_INTEGRITY_TAG_LEN); |
822 | 0 | } |
823 | | |
824 | | /* RFC 9001 s. 5.8 */ |
825 | | static const unsigned char retry_integrity_key[] = { |
826 | | 0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, |
827 | | 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e |
828 | | }; |
829 | | |
830 | | static const unsigned char retry_integrity_nonce[] = { |
831 | | 0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, |
832 | | 0x23, 0x98, 0x25, 0xbb |
833 | | }; |
834 | | |
835 | | int ossl_quic_calculate_retry_integrity_tag(OSSL_LIB_CTX *libctx, |
836 | | const char *propq, |
837 | | const QUIC_PKT_HDR *hdr, |
838 | | const QUIC_CONN_ID *client_initial_dcid, |
839 | | unsigned char *tag) |
840 | 0 | { |
841 | 0 | EVP_CIPHER *cipher = NULL; |
842 | 0 | EVP_CIPHER_CTX *cctx = NULL; |
843 | 0 | int ok = 0, l = 0, l2 = 0, wpkt_valid = 0; |
844 | 0 | WPACKET wpkt; |
845 | | /* Worst case length of the Retry Psuedo-Packet header is 68 bytes. */ |
846 | 0 | unsigned char buf[128]; |
847 | 0 | QUIC_PKT_HDR hdr2; |
848 | 0 | size_t hdr_enc_len = 0; |
849 | |
|
850 | 0 | if (hdr->type != QUIC_PKT_TYPE_RETRY || hdr->version == 0 |
851 | 0 | || hdr->len < QUIC_RETRY_INTEGRITY_TAG_LEN |
852 | 0 | || hdr->data == NULL |
853 | 0 | || client_initial_dcid == NULL || tag == NULL |
854 | 0 | || client_initial_dcid->id_len > QUIC_MAX_CONN_ID_LEN) { |
855 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT); |
856 | 0 | goto err; |
857 | 0 | } |
858 | | |
859 | | /* |
860 | | * Do not reserve packet body in WPACKET. Retry packet header |
861 | | * does not contain a Length field so this does not affect |
862 | | * the serialized packet header. |
863 | | */ |
864 | 0 | hdr2 = *hdr; |
865 | 0 | hdr2.len = 0; |
866 | | |
867 | | /* Assemble retry psuedo-packet. */ |
868 | 0 | if (!WPACKET_init_static_len(&wpkt, buf, sizeof(buf), 0)) { |
869 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
870 | 0 | goto err; |
871 | 0 | } |
872 | | |
873 | 0 | wpkt_valid = 1; |
874 | | |
875 | | /* Prepend original DCID to the packet. */ |
876 | 0 | if (!WPACKET_put_bytes_u8(&wpkt, client_initial_dcid->id_len) |
877 | 0 | || !WPACKET_memcpy(&wpkt, client_initial_dcid->id, |
878 | 0 | client_initial_dcid->id_len)) { |
879 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
880 | 0 | goto err; |
881 | 0 | } |
882 | | |
883 | | /* Encode main retry header. */ |
884 | 0 | if (!ossl_quic_wire_encode_pkt_hdr(&wpkt, hdr2.dst_conn_id.id_len, |
885 | 0 | &hdr2, NULL)) |
886 | 0 | goto err; |
887 | | |
888 | 0 | if (!WPACKET_get_total_written(&wpkt, &hdr_enc_len)) { |
889 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); |
890 | 0 | return 0; |
891 | 0 | } |
892 | | |
893 | | /* Create and initialise cipher context. */ |
894 | | /* TODO(QUIC FUTURE): Cipher fetch caching. */ |
895 | 0 | if ((cipher = EVP_CIPHER_fetch(libctx, "AES-128-GCM", propq)) == NULL) { |
896 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
897 | 0 | goto err; |
898 | 0 | } |
899 | | |
900 | 0 | if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { |
901 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
902 | 0 | goto err; |
903 | 0 | } |
904 | | |
905 | 0 | if (!EVP_CipherInit_ex(cctx, cipher, NULL, |
906 | 0 | retry_integrity_key, retry_integrity_nonce, /*enc=*/1)) { |
907 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
908 | 0 | goto err; |
909 | 0 | } |
910 | | |
911 | | /* Feed packet header as AAD data. */ |
912 | 0 | if (EVP_CipherUpdate(cctx, NULL, &l, buf, hdr_enc_len) != 1) { |
913 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
914 | 0 | return 0; |
915 | 0 | } |
916 | | |
917 | | /* Feed packet body as AAD data. */ |
918 | 0 | if (EVP_CipherUpdate(cctx, NULL, &l, hdr->data, |
919 | 0 | hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN) != 1) { |
920 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
921 | 0 | return 0; |
922 | 0 | } |
923 | | |
924 | | /* Finalise and get tag. */ |
925 | 0 | if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { |
926 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
927 | 0 | return 0; |
928 | 0 | } |
929 | | |
930 | 0 | if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, |
931 | 0 | QUIC_RETRY_INTEGRITY_TAG_LEN, |
932 | 0 | tag) != 1) { |
933 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); |
934 | 0 | return 0; |
935 | 0 | } |
936 | | |
937 | 0 | ok = 1; |
938 | 0 | err: |
939 | 0 | EVP_CIPHER_free(cipher); |
940 | 0 | EVP_CIPHER_CTX_free(cctx); |
941 | 0 | if (wpkt_valid) |
942 | 0 | WPACKET_finish(&wpkt); |
943 | |
|
944 | 0 | return ok; |
945 | 0 | } |