1 #include "quic_record_shared.h"
2 #include "internal/quic_record_util.h"
3 #include "internal/common.h"
4 #include "../ssl_local.h"
6 /* Constants used for key derivation in QUIC v1. */
7 static const unsigned char quic_v1_iv_label
[] = {
8 0x71, 0x75, 0x69, 0x63, 0x20, 0x69, 0x76 /* "quic iv" */
10 static const unsigned char quic_v1_key_label
[] = {
11 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79 /* "quic key" */
13 static const unsigned char quic_v1_hp_label
[] = {
14 0x71, 0x75, 0x69, 0x63, 0x20, 0x68, 0x70 /* "quic hp" */
16 static const unsigned char quic_v1_ku_label
[] = {
17 0x71, 0x75, 0x69, 0x63, 0x20, 0x6b, 0x75 /* "quic ku" */
20 OSSL_QRL_ENC_LEVEL
*ossl_qrl_enc_level_set_get(OSSL_QRL_ENC_LEVEL_SET
*els
,
24 OSSL_QRL_ENC_LEVEL
*el
;
26 if (!ossl_assert(enc_level
< QUIC_ENC_LEVEL_NUM
))
29 el
= &els
->el
[enc_level
];
33 case QRL_EL_STATE_PROV_NORMAL
:
34 case QRL_EL_STATE_PROV_UPDATING
:
35 case QRL_EL_STATE_PROV_COOLDOWN
:
44 int ossl_qrl_enc_level_set_have_el(OSSL_QRL_ENC_LEVEL_SET
*els
,
47 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
50 case QRL_EL_STATE_UNPROV
:
52 case QRL_EL_STATE_PROV_NORMAL
:
53 case QRL_EL_STATE_PROV_UPDATING
:
54 case QRL_EL_STATE_PROV_COOLDOWN
:
57 case QRL_EL_STATE_DISCARDED
:
62 int ossl_qrl_enc_level_set_has_keyslot(OSSL_QRL_ENC_LEVEL_SET
*els
,
64 unsigned char tgt_state
,
67 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
69 if (!ossl_assert(el
!= NULL
&& keyslot
< 2))
73 case QRL_EL_STATE_PROV_NORMAL
:
74 case QRL_EL_STATE_PROV_UPDATING
:
75 return enc_level
== QUIC_ENC_LEVEL_1RTT
|| keyslot
== 0;
76 case QRL_EL_STATE_PROV_COOLDOWN
:
77 assert(enc_level
== QUIC_ENC_LEVEL_1RTT
);
78 return keyslot
== (el
->key_epoch
& 1);
84 static void el_teardown_keyslot(OSSL_QRL_ENC_LEVEL_SET
*els
,
88 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
90 if (!ossl_qrl_enc_level_set_has_keyslot(els
, enc_level
, el
->state
, keyslot
))
93 if (el
->cctx
[keyslot
] != NULL
) {
94 EVP_CIPHER_CTX_free(el
->cctx
[keyslot
]);
95 el
->cctx
[keyslot
] = NULL
;
98 OPENSSL_cleanse(el
->iv
[keyslot
], sizeof(el
->iv
[keyslot
]));
101 static int el_setup_keyslot(OSSL_QRL_ENC_LEVEL_SET
*els
,
103 unsigned char tgt_state
,
105 const unsigned char *secret
,
108 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
109 unsigned char key
[EVP_MAX_KEY_LENGTH
];
110 size_t key_len
= 0, iv_len
= 0;
111 const char *cipher_name
= NULL
;
112 EVP_CIPHER
*cipher
= NULL
;
113 EVP_CIPHER_CTX
*cctx
= NULL
;
115 if (!ossl_assert(el
!= NULL
116 && ossl_qrl_enc_level_set_has_keyslot(els
, enc_level
,
117 tgt_state
, keyslot
))) {
118 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
122 cipher_name
= ossl_qrl_get_suite_cipher_name(el
->suite_id
);
123 iv_len
= ossl_qrl_get_suite_cipher_iv_len(el
->suite_id
);
124 key_len
= ossl_qrl_get_suite_cipher_key_len(el
->suite_id
);
125 if (cipher_name
== NULL
) {
126 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
130 if (secret_len
!= ossl_qrl_get_suite_secret_len(el
->suite_id
)
131 || secret_len
> EVP_MAX_KEY_LENGTH
) {
132 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
136 assert(el
->cctx
[keyslot
] == NULL
);
138 /* Derive "quic iv" key. */
139 if (!tls13_hkdf_expand_ex(el
->libctx
, el
->propq
,
143 sizeof(quic_v1_iv_label
),
145 el
->iv
[keyslot
], iv_len
, 1))
148 /* Derive "quic key" key. */
149 if (!tls13_hkdf_expand_ex(el
->libctx
, el
->propq
,
153 sizeof(quic_v1_key_label
),
158 /* Create and initialise cipher context. */
159 if ((cipher
= EVP_CIPHER_fetch(el
->libctx
, cipher_name
, el
->propq
)) == NULL
) {
160 ERR_raise(ERR_LIB_SSL
, ERR_R_EVP_LIB
);
164 if ((cctx
= EVP_CIPHER_CTX_new()) == NULL
) {
165 ERR_raise(ERR_LIB_SSL
, ERR_R_EVP_LIB
);
169 if (!ossl_assert(iv_len
== (size_t)EVP_CIPHER_get_iv_length(cipher
))
170 || !ossl_assert(key_len
== (size_t)EVP_CIPHER_get_key_length(cipher
))) {
171 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
175 /* IV will be changed on RX/TX so we don't need to use a real value here. */
176 if (!EVP_CipherInit_ex(cctx
, cipher
, NULL
, key
, el
->iv
[keyslot
], 0)) {
177 ERR_raise(ERR_LIB_SSL
, ERR_R_EVP_LIB
);
181 el
->cctx
[keyslot
] = cctx
;
183 /* Zeroize intermediate keys. */
184 OPENSSL_cleanse(key
, sizeof(key
));
185 EVP_CIPHER_free(cipher
);
189 EVP_CIPHER_CTX_free(cctx
);
190 EVP_CIPHER_free(cipher
);
191 OPENSSL_cleanse(el
->iv
[keyslot
], sizeof(el
->iv
[keyslot
]));
192 OPENSSL_cleanse(key
, sizeof(key
));
196 int ossl_qrl_enc_level_set_provide_secret(OSSL_QRL_ENC_LEVEL_SET
*els
,
197 OSSL_LIB_CTX
*libctx
,
202 const unsigned char *secret
,
204 unsigned char init_key_phase_bit
,
207 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
208 unsigned char ku_key
[EVP_MAX_KEY_LENGTH
], hpr_key
[EVP_MAX_KEY_LENGTH
];
209 int have_ks0
= 0, have_ks1
= 0, own_md
= 0;
210 const char *md_name
= ossl_qrl_get_suite_md_name(suite_id
);
211 size_t hpr_key_len
, init_keyslot
;
215 || init_key_phase_bit
> 1 || is_tx
< 0 || is_tx
> 1
216 || (init_key_phase_bit
> 0 && enc_level
!= QUIC_ENC_LEVEL_1RTT
)) {
217 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
221 if (enc_level
== QUIC_ENC_LEVEL_INITIAL
222 && el
->state
== QRL_EL_STATE_PROV_NORMAL
) {
224 * Sometimes the INITIAL EL needs to be reprovisioned, namely if a
225 * connection retry occurs. Exceptionally, if the caller wants to
226 * reprovision the INITIAL EL, tear it down as usual and then override
227 * the state so it can be provisioned again.
229 ossl_qrl_enc_level_set_discard(els
, enc_level
);
230 el
->state
= QRL_EL_STATE_UNPROV
;
233 if (el
->state
!= QRL_EL_STATE_UNPROV
) {
234 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
238 init_keyslot
= is_tx
? 0 : init_key_phase_bit
;
239 hpr_key_len
= ossl_qrl_get_suite_hdr_prot_key_len(suite_id
);
240 if (hpr_key_len
== 0) {
241 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
246 md
= EVP_MD_fetch(libctx
, md_name
, propq
);
248 ERR_raise(ERR_LIB_SSL
, ERR_R_EVP_LIB
);
258 el
->suite_id
= suite_id
;
259 el
->tag_len
= ossl_qrl_get_suite_cipher_tag_len(suite_id
);
261 el
->key_epoch
= (uint64_t)init_key_phase_bit
;
262 el
->is_tx
= (unsigned char)is_tx
;
264 /* Derive "quic hp" key. */
265 if (!tls13_hkdf_expand_ex(libctx
, propq
,
269 sizeof(quic_v1_hp_label
),
271 hpr_key
, hpr_key_len
, 1))
274 /* Setup KS0 (or KS1 if init_key_phase_bit), our initial keyslot. */
275 if (!el_setup_keyslot(els
, enc_level
, QRL_EL_STATE_PROV_NORMAL
,
276 init_keyslot
, secret
, secret_len
))
281 if (enc_level
== QUIC_ENC_LEVEL_1RTT
) {
282 /* Derive "quic ku" key (the epoch 1 secret). */
283 if (!tls13_hkdf_expand_ex(libctx
, propq
,
287 sizeof(quic_v1_ku_label
),
289 is_tx
? el
->ku
: ku_key
, secret_len
, 1))
293 /* Setup KS1 (or KS0 if init_key_phase_bit), our next keyslot. */
294 if (!el_setup_keyslot(els
, enc_level
, QRL_EL_STATE_PROV_NORMAL
,
295 !init_keyslot
, ku_key
, secret_len
))
300 /* Derive NEXT "quic ku" key (the epoch 2 secret). */
301 if (!tls13_hkdf_expand_ex(libctx
, propq
,
305 sizeof(quic_v1_ku_label
),
307 el
->ku
, secret_len
, 1))
312 /* Setup header protection context. */
313 if (!ossl_quic_hdr_protector_init(&el
->hpr
,
315 ossl_qrl_get_suite_hdr_prot_cipher_id(suite_id
),
316 hpr_key
, hpr_key_len
))
320 * We are now provisioned: KS0 has our current key (for key epoch 0), KS1
321 * has our next key (for key epoch 1, in the case of the 1-RTT EL only), and
322 * el->ku has the secret which will be used to generate keys for key epoch
325 OPENSSL_cleanse(hpr_key
, sizeof(hpr_key
));
326 OPENSSL_cleanse(ku_key
, sizeof(ku_key
));
327 el
->state
= QRL_EL_STATE_PROV_NORMAL
;
333 OPENSSL_cleanse(hpr_key
, sizeof(hpr_key
));
334 OPENSSL_cleanse(ku_key
, sizeof(ku_key
));
335 OPENSSL_cleanse(el
->ku
, sizeof(el
->ku
));
337 el_teardown_keyslot(els
, enc_level
, 0);
339 el_teardown_keyslot(els
, enc_level
, 1);
345 int ossl_qrl_enc_level_set_key_update(OSSL_QRL_ENC_LEVEL_SET
*els
,
348 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
350 unsigned char new_ku
[EVP_MAX_KEY_LENGTH
];
352 if (el
== NULL
|| !ossl_assert(enc_level
== QUIC_ENC_LEVEL_1RTT
)) {
353 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
357 if (el
->state
!= QRL_EL_STATE_PROV_NORMAL
) {
358 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
364 * We already have the key for the next epoch, so just move to using it.
367 el
->state
= QRL_EL_STATE_PROV_UPDATING
;
372 * TX case. For the TX side we use only keyslot 0; it replaces the old key
375 secret_len
= ossl_qrl_get_suite_secret_len(el
->suite_id
);
377 /* Derive NEXT "quic ku" key (the epoch n+1 secret). */
378 if (!tls13_hkdf_expand_ex(el
->libctx
, el
->propq
,
381 sizeof(quic_v1_ku_label
),
383 new_ku
, secret_len
, 1))
386 el_teardown_keyslot(els
, enc_level
, 0);
388 /* Setup keyslot for CURRENT "quic ku" key. */
389 if (!el_setup_keyslot(els
, enc_level
, QRL_EL_STATE_PROV_NORMAL
,
390 0, el
->ku
, secret_len
))
395 memcpy(el
->ku
, new_ku
, secret_len
);
396 /* Remain in PROV_NORMAL state */
400 /* Transitions from PROV_UPDATING to PROV_COOLDOWN. */
401 int ossl_qrl_enc_level_set_key_update_done(OSSL_QRL_ENC_LEVEL_SET
*els
,
404 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
406 if (el
== NULL
|| !ossl_assert(enc_level
== QUIC_ENC_LEVEL_1RTT
)) {
407 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
411 /* No new key yet, but erase key material to aid PFS. */
412 el_teardown_keyslot(els
, enc_level
, ~el
->key_epoch
& 1);
413 el
->state
= QRL_EL_STATE_PROV_COOLDOWN
;
418 * Transitions from PROV_COOLDOWN to PROV_NORMAL. (If in PROV_UPDATING,
419 * auto-transitions to PROV_COOLDOWN first.)
421 int ossl_qrl_enc_level_set_key_cooldown_done(OSSL_QRL_ENC_LEVEL_SET
*els
,
424 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
426 unsigned char new_ku
[EVP_MAX_KEY_LENGTH
];
428 if (el
== NULL
|| !ossl_assert(enc_level
== QUIC_ENC_LEVEL_1RTT
)) {
429 ERR_raise(ERR_LIB_SSL
, ERR_R_PASSED_INVALID_ARGUMENT
);
433 if (el
->state
== QRL_EL_STATE_PROV_UPDATING
434 && !ossl_qrl_enc_level_set_key_update_done(els
, enc_level
)) {
435 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
439 if (el
->state
!= QRL_EL_STATE_PROV_COOLDOWN
) {
440 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
444 secret_len
= ossl_qrl_get_suite_secret_len(el
->suite_id
);
446 if (!el_setup_keyslot(els
, enc_level
, QRL_EL_STATE_PROV_NORMAL
,
447 ~el
->key_epoch
& 1, el
->ku
, secret_len
))
450 /* Derive NEXT "quic ku" key (the epoch n+1 secret). */
451 if (!tls13_hkdf_expand_ex(el
->libctx
, el
->propq
,
455 sizeof(quic_v1_ku_label
),
457 new_ku
, secret_len
, 1)) {
458 el_teardown_keyslot(els
, enc_level
, ~el
->key_epoch
& 1);
462 memcpy(el
->ku
, new_ku
, secret_len
);
463 el
->state
= QRL_EL_STATE_PROV_NORMAL
;
468 * Discards keying material for a given encryption level. Transitions from any
469 * state to DISCARDED.
471 void ossl_qrl_enc_level_set_discard(OSSL_QRL_ENC_LEVEL_SET
*els
,
474 OSSL_QRL_ENC_LEVEL
*el
= ossl_qrl_enc_level_set_get(els
, enc_level
, 0);
476 if (el
== NULL
|| el
->state
== QRL_EL_STATE_DISCARDED
)
479 if (ossl_qrl_enc_level_set_have_el(els
, enc_level
) == 1) {
480 ossl_quic_hdr_protector_cleanup(&el
->hpr
);
482 el_teardown_keyslot(els
, enc_level
, 0);
483 el_teardown_keyslot(els
, enc_level
, 1);
488 el
->state
= QRL_EL_STATE_DISCARDED
;