2 * Copyright (c) 2021 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <quic/quic.h>
17 #include <quic/quic_crypto.h>
20 #include <picotls/openssl.h>
22 #define QUICLY_EPOCH_1RTT 3
24 extern quic_main_t quic_main;
25 extern quic_ctx_t *quic_get_conn_ctx (quicly_conn_t * conn);
26 vnet_crypto_main_t *cm = &crypto_main;
28 struct cipher_context_t
30 ptls_cipher_context_t super;
32 vnet_crypto_op_id_t id;
36 struct aead_crypto_context_t
38 ptls_aead_context_t super;
41 vnet_crypto_op_id_t id;
42 uint8_t iv[PTLS_MAX_IV_SIZE];
43 uint8_t static_iv[PTLS_MAX_IV_SIZE];
47 quic_crypto_setup_cipher (quicly_crypto_engine_t *engine, quicly_conn_t *conn,
48 size_t epoch, int is_enc,
49 ptls_cipher_context_t **header_protect_ctx,
50 ptls_aead_context_t **packet_protect_ctx,
51 ptls_aead_algorithm_t *aead,
52 ptls_hash_algorithm_t *hash, const void *secret)
54 uint8_t hpkey[PTLS_MAX_SECRET_SIZE];
57 *packet_protect_ctx = NULL;
59 /* generate new header protection key */
60 if (header_protect_ctx != NULL)
62 *header_protect_ctx = NULL;
63 if ((ret = ptls_hkdf_expand_label (
64 hash, hpkey, aead->ctr_cipher->key_size,
65 ptls_iovec_init (secret, hash->digest_size), "quic hp",
66 ptls_iovec_init (NULL, 0), NULL)) != 0)
68 if ((*header_protect_ctx =
69 ptls_cipher_new (aead->ctr_cipher, is_enc, hpkey)) == NULL)
71 ret = PTLS_ERROR_NO_MEMORY;
76 /* generate new AEAD context */
77 if ((*packet_protect_ctx = ptls_aead_new (aead, hash, is_enc, secret,
78 QUICLY_AEAD_BASE_LABEL)) == NULL)
80 ret = PTLS_ERROR_NO_MEMORY;
84 if (epoch == QUICLY_EPOCH_1RTT && !is_enc)
86 quic_ctx_t *qctx = quic_get_conn_ctx (conn);
87 if (qctx->ingress_keys.aead_ctx != NULL)
88 qctx->key_phase_ingress++;
90 qctx->ingress_keys.aead_ctx = *packet_protect_ctx;
91 if (header_protect_ctx != NULL)
92 qctx->ingress_keys.hp_ctx = *header_protect_ctx;
100 if (packet_protect_ctx && *packet_protect_ctx != NULL)
102 ptls_aead_free (*packet_protect_ctx);
103 *packet_protect_ctx = NULL;
105 if (header_protect_ctx && *header_protect_ctx != NULL)
107 ptls_cipher_free (*header_protect_ctx);
108 *header_protect_ctx = NULL;
111 ptls_clear_memory (hpkey, sizeof (hpkey));
116 quic_crypto_aead_decrypt (quic_ctx_t *qctx, ptls_aead_context_t *_ctx,
117 void *_output, const void *input, size_t inlen,
118 uint64_t decrypted_pn, const void *aad,
121 vlib_main_t *vm = vlib_get_main ();
123 struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *) _ctx;
125 vnet_crypto_op_init (&ctx->op, ctx->id);
126 ctx->op.aad = (u8 *) aad;
127 ctx->op.aad_len = aadlen;
128 ctx->op.iv = ctx->iv;
129 ptls_aead__build_iv (ctx->super.algo, ctx->op.iv, ctx->static_iv,
131 ctx->op.src = (u8 *) input;
132 ctx->op.dst = _output;
133 ctx->op.key_index = ctx->key_index;
134 ctx->op.len = inlen - ctx->super.algo->tag_size;
135 ctx->op.tag_len = ctx->super.algo->tag_size;
136 ctx->op.tag = ctx->op.src + ctx->op.len;
138 vnet_crypto_process_ops (vm, &(ctx->op), 1);
144 quic_crypto_decrypt_packet (quic_ctx_t * qctx, quic_rx_packet_ctx_t * pctx)
146 ptls_cipher_context_t *header_protection = NULL;
147 ptls_aead_context_t *aead = NULL;
150 /* Long Header packets are not decrypted by vpp */
151 if (QUICLY_PACKET_IS_LONG_HEADER (pctx->packet.octets.base[0]))
154 uint64_t next_expected_packet_number =
155 quicly_get_next_expected_packet_number (qctx->conn);
156 if (next_expected_packet_number == UINT64_MAX)
159 aead = qctx->ingress_keys.aead_ctx;
160 header_protection = qctx->ingress_keys.hp_ctx;
162 if (!aead || !header_protection)
165 size_t encrypted_len = pctx->packet.octets.len - pctx->packet.encrypted_off;
166 uint8_t hpmask[5] = { 0 };
168 size_t pnlen, ptlen, i;
170 /* decipher the header protection, as well as obtaining pnbits, pnlen */
171 if (encrypted_len < header_protection->algo->iv_size + QUICLY_MAX_PN_SIZE)
173 ptls_cipher_init (header_protection,
174 pctx->packet.octets.base + pctx->packet.encrypted_off +
176 ptls_cipher_encrypt (header_protection, hpmask, hpmask, sizeof (hpmask));
177 pctx->packet.octets.base[0] ^=
178 hpmask[0] & (QUICLY_PACKET_IS_LONG_HEADER (pctx->packet.octets.base[0]) ?
180 pnlen = (pctx->packet.octets.base[0] & 0x3) + 1;
181 for (i = 0; i != pnlen; ++i)
183 pctx->packet.octets.base[pctx->packet.encrypted_off + i] ^=
186 (pnbits << 8) | pctx->packet.octets.base[pctx->packet.encrypted_off +
190 size_t aead_off = pctx->packet.encrypted_off + pnlen;
193 quicly_determine_packet_number (pnbits, pnlen * 8,
194 next_expected_packet_number);
197 (pctx->packet.octets.base[0] & QUICLY_KEY_PHASE_BIT) != 0;
199 if (key_phase_bit != (qctx->key_phase_ingress & 1))
201 pctx->packet.octets.base[0] ^=
203 (QUICLY_PACKET_IS_LONG_HEADER (pctx->packet.octets.base[0]) ? 0xf :
205 for (i = 0; i != pnlen; ++i)
207 pctx->packet.octets.base[pctx->packet.encrypted_off + i] ^=
213 if ((ptlen = quic_crypto_aead_decrypt (
214 qctx, aead, pctx->packet.octets.base + aead_off,
215 pctx->packet.octets.base + aead_off,
216 pctx->packet.octets.len - aead_off, pn, pctx->packet.octets.base,
217 aead_off)) == SIZE_MAX)
220 "%s: aead decryption failure (pn: %d)\n", __FUNCTION__, pn);
224 pctx->packet.encrypted_off = aead_off;
225 pctx->packet.octets.len = ptlen + aead_off;
227 pctx->packet.decrypted.pn = pn;
228 pctx->packet.decrypted.key_phase = qctx->key_phase_ingress;
232 quic_crypto_encrypt_packet (struct st_quicly_crypto_engine_t *engine,
234 ptls_cipher_context_t *header_protect_ctx,
235 ptls_aead_context_t *packet_protect_ctx,
236 ptls_iovec_t datagram, size_t first_byte_at,
237 size_t payload_from, uint64_t packet_number,
240 vlib_main_t *vm = vlib_get_main ();
242 struct cipher_context_t *hp_ctx =
243 (struct cipher_context_t *) header_protect_ctx;
244 struct aead_crypto_context_t *aead_ctx =
245 (struct aead_crypto_context_t *) packet_protect_ctx;
247 void *input = datagram.base + payload_from;
248 void *output = input;
250 datagram.len - payload_from - packet_protect_ctx->algo->tag_size;
251 const void *aad = datagram.base + first_byte_at;
252 size_t aadlen = payload_from - first_byte_at;
254 /* Build AEAD encrypt crypto operation */
255 vnet_crypto_op_init (&aead_ctx->op, aead_ctx->id);
256 aead_ctx->op.aad = (u8 *) aad;
257 aead_ctx->op.aad_len = aadlen;
258 aead_ctx->op.iv = aead_ctx->iv;
259 ptls_aead__build_iv (aead_ctx->super.algo, aead_ctx->op.iv,
260 aead_ctx->static_iv, packet_number);
261 aead_ctx->op.key_index = aead_ctx->key_index;
262 aead_ctx->op.src = (u8 *) input;
263 aead_ctx->op.dst = output;
264 aead_ctx->op.len = inlen;
265 aead_ctx->op.tag_len = aead_ctx->super.algo->tag_size;
266 aead_ctx->op.tag = aead_ctx->op.src + inlen;
267 vnet_crypto_process_ops (vm, &(aead_ctx->op), 1);
268 assert (aead_ctx->op.status == VNET_CRYPTO_OP_STATUS_COMPLETED);
270 /* Build Header protection crypto operation */
271 ptls_aead_supplementary_encryption_t supp = {
272 .ctx = header_protect_ctx,
274 datagram.base + payload_from - QUICLY_SEND_PN_SIZE + QUICLY_MAX_PN_SIZE
277 /* Build Header protection crypto operation */
278 vnet_crypto_op_init (&hp_ctx->op, hp_ctx->id);
279 memset (supp.output, 0, sizeof (supp.output));
280 hp_ctx->op.iv = (u8 *) supp.input;
281 hp_ctx->op.key_index = hp_ctx->key_index;
282 hp_ctx->op.src = (u8 *) supp.output;
283 hp_ctx->op.dst = (u8 *) supp.output;
284 hp_ctx->op.len = sizeof (supp.output);
285 vnet_crypto_process_ops (vm, &(hp_ctx->op), 1);
286 assert (hp_ctx->op.status == VNET_CRYPTO_OP_STATUS_COMPLETED);
288 datagram.base[first_byte_at] ^=
290 (QUICLY_PACKET_IS_LONG_HEADER (datagram.base[first_byte_at]) ? 0xf : 0x1f);
291 for (size_t i = 0; i != QUICLY_SEND_PN_SIZE; ++i)
292 datagram.base[payload_from + i - QUICLY_SEND_PN_SIZE] ^=
297 quic_crypto_cipher_setup_crypto (ptls_cipher_context_t *_ctx, int is_enc,
298 const void *key, const EVP_CIPHER *cipher)
300 struct cipher_context_t *ctx = (struct cipher_context_t *) _ctx;
302 vlib_main_t *vm = vlib_get_main ();
303 vnet_crypto_alg_t algo;
304 if (!strcmp (ctx->super.algo->name, "AES128-CTR"))
306 algo = VNET_CRYPTO_ALG_AES_128_CTR;
307 ctx->id = is_enc ? VNET_CRYPTO_OP_AES_128_CTR_ENC :
308 VNET_CRYPTO_OP_AES_128_CTR_DEC;
309 ptls_openssl_aes128ctr.setup_crypto (_ctx, is_enc, key);
311 else if (!strcmp (ctx->super.algo->name, "AES256-CTR"))
313 algo = VNET_CRYPTO_ALG_AES_256_CTR;
314 ctx->id = is_enc ? VNET_CRYPTO_OP_AES_256_CTR_ENC :
315 VNET_CRYPTO_OP_AES_256_CTR_DEC;
316 ptls_openssl_aes256ctr.setup_crypto (_ctx, is_enc, key);
320 QUIC_DBG (1, "%s, Invalid crypto cipher : ", __FUNCTION__,
325 if (quic_main.vnet_crypto_enabled)
327 clib_rwlock_writer_lock (&quic_main.crypto_keys_quic_rw_lock);
329 vnet_crypto_key_add (vm, algo, (u8 *) key, _ctx->algo->key_size);
330 clib_rwlock_writer_unlock (&quic_main.crypto_keys_quic_rw_lock);
337 quic_crypto_aes128ctr_setup_crypto (ptls_cipher_context_t * ctx, int is_enc,
340 return quic_crypto_cipher_setup_crypto (ctx, 1, key, EVP_aes_128_ctr ());
344 quic_crypto_aes256ctr_setup_crypto (ptls_cipher_context_t * ctx, int is_enc,
347 return quic_crypto_cipher_setup_crypto (ctx, 1, key, EVP_aes_256_ctr ());
351 quic_crypto_aead_setup_crypto (ptls_aead_context_t *_ctx, int is_enc,
352 const void *key, const void *iv,
353 const EVP_CIPHER *cipher)
355 vlib_main_t *vm = vlib_get_main ();
356 struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *) _ctx;
358 vnet_crypto_alg_t algo;
359 if (!strcmp (ctx->super.algo->name, "AES128-GCM"))
361 algo = VNET_CRYPTO_ALG_AES_128_GCM;
362 ctx->id = is_enc ? VNET_CRYPTO_OP_AES_128_GCM_ENC :
363 VNET_CRYPTO_OP_AES_128_GCM_DEC;
364 ptls_openssl_aes128gcm.setup_crypto (_ctx, is_enc, key, iv);
366 else if (!strcmp (ctx->super.algo->name, "AES256-GCM"))
368 algo = VNET_CRYPTO_ALG_AES_256_GCM;
369 ctx->id = is_enc ? VNET_CRYPTO_OP_AES_256_GCM_ENC :
370 VNET_CRYPTO_OP_AES_256_GCM_DEC;
371 ptls_openssl_aes256gcm.setup_crypto (_ctx, is_enc, key, iv);
375 QUIC_DBG (1, "%s, invalied aead cipher %s", __FUNCTION__,
380 if (quic_main.vnet_crypto_enabled)
382 clib_memcpy (ctx->static_iv, iv, ctx->super.algo->iv_size);
384 clib_rwlock_writer_lock (&quic_main.crypto_keys_quic_rw_lock);
385 ctx->key_index = vnet_crypto_key_add (vm, algo,
386 (u8 *) key, _ctx->algo->key_size);
387 clib_rwlock_writer_unlock (&quic_main.crypto_keys_quic_rw_lock);
394 quic_crypto_aead_aes128gcm_setup_crypto (ptls_aead_context_t *ctx, int is_enc,
395 const void *key, const void *iv)
397 return quic_crypto_aead_setup_crypto (ctx, is_enc, key, iv,
402 quic_crypto_aead_aes256gcm_setup_crypto (ptls_aead_context_t *ctx, int is_enc,
403 const void *key, const void *iv)
405 return quic_crypto_aead_setup_crypto (ctx, is_enc, key, iv,
410 quic_encrypt_ticket_cb (ptls_encrypt_ticket_t *_self, ptls_t *tls,
411 int is_encrypt, ptls_buffer_t *dst, ptls_iovec_t src)
413 quic_session_cache_t *self = (void *) _self;
419 /* replace the cached entry along with a newly generated session id */
420 clib_mem_free (self->data.base);
421 if ((self->data.base = clib_mem_alloc (src.len)) == NULL)
422 return PTLS_ERROR_NO_MEMORY;
424 ptls_get_context (tls)->random_bytes (self->id, sizeof (self->id));
425 clib_memcpy (self->data.base, src.base, src.len);
426 self->data.len = src.len;
428 /* store the session id in buffer */
429 if ((ret = ptls_buffer_reserve (dst, sizeof (self->id))) != 0)
431 clib_memcpy (dst->base + dst->off, self->id, sizeof (self->id));
432 dst->off += sizeof (self->id);
436 /* check if session id is the one stored in cache */
437 if (src.len != sizeof (self->id))
438 return PTLS_ERROR_SESSION_NOT_FOUND;
439 if (clib_memcmp (self->id, src.base, sizeof (self->id)) != 0)
440 return PTLS_ERROR_SESSION_NOT_FOUND;
442 /* return the cached value */
443 if ((ret = ptls_buffer_reserve (dst, self->data.len)) != 0)
445 clib_memcpy (dst->base + dst->off, self->data.base, self->data.len);
446 dst->off += self->data.len;
452 ptls_cipher_algorithm_t quic_crypto_aes128ctr = {
454 PTLS_AES128_KEY_SIZE,
457 sizeof (struct cipher_context_t),
458 quic_crypto_aes128ctr_setup_crypto
461 ptls_cipher_algorithm_t quic_crypto_aes256ctr = {
463 PTLS_AES256_KEY_SIZE,
466 sizeof (struct cipher_context_t),
467 quic_crypto_aes256ctr_setup_crypto
470 ptls_aead_algorithm_t quic_crypto_aes128gcm = {
472 &quic_crypto_aes128ctr,
473 &ptls_openssl_aes128ecb,
474 PTLS_AES128_KEY_SIZE,
476 PTLS_AESGCM_TAG_SIZE,
477 sizeof (struct aead_crypto_context_t),
478 quic_crypto_aead_aes128gcm_setup_crypto
481 ptls_aead_algorithm_t quic_crypto_aes256gcm = {
483 &quic_crypto_aes256ctr,
484 &ptls_openssl_aes256ecb,
485 PTLS_AES256_KEY_SIZE,
487 PTLS_AESGCM_TAG_SIZE,
488 sizeof (struct aead_crypto_context_t),
489 quic_crypto_aead_aes256gcm_setup_crypto
492 ptls_cipher_suite_t quic_crypto_aes128gcmsha256 = {
493 PTLS_CIPHER_SUITE_AES_128_GCM_SHA256,
494 &quic_crypto_aes128gcm, &ptls_openssl_sha256
497 ptls_cipher_suite_t quic_crypto_aes256gcmsha384 = {
498 PTLS_CIPHER_SUITE_AES_256_GCM_SHA384,
499 &quic_crypto_aes256gcm, &ptls_openssl_sha384
502 ptls_cipher_suite_t *quic_crypto_cipher_suites[] = {
503 &quic_crypto_aes256gcmsha384, &quic_crypto_aes128gcmsha256, NULL
506 quicly_crypto_engine_t quic_crypto_engine = { quic_crypto_setup_cipher,
507 quic_crypto_encrypt_packet };
510 * fd.io coding-style-patch-verification: ON
513 * eval: (c-set-style "gnu")