quic: packet protection

neild · neild · commit f71a821cfa7c · 2023-05-25T17:52:06.000Z
Encrypt and decrypt QUIC packets according to RFC 9001. For golang/go#58547 Change-Id: Ib7f824cf08f8520400bd38d3b3ab89e8a968114e Reviewed-on: https://go-review.googlesource.com/c/net/+/475438 Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module golang.org/x/net
 go 1.17
 
 require (
+	golang.org/x/crypto v0.9.0
 	golang.org/x/sys v0.8.0
 	golang.org/x/term v0.8.0
 	golang.org/x/text v0.9.0
diff --git a/go.sum b/go.sum
@@ -1,12 +1,15 @@
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
+golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/internal/quic/packet_protection.go b/internal/quic/packet_protection.go
@@ -0,0 +1,266 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package quic
+
+import (
+	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha256"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"hash"
+
+	"golang.org/x/crypto/chacha20"
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/crypto/cryptobyte"
+	"golang.org/x/crypto/hkdf"
+)
+
+var errInvalidPacket = errors.New("quic: invalid packet")
+
+// keys holds the cryptographic material used to protect packets
+// at an encryption level and direction. (e.g., Initial client keys.)
+//
+// keys are not safe for concurrent use.
+type keys struct {
+	// AEAD function used for packet protection.
+	aead cipher.AEAD
+
+	// The header_protection function as defined in:
+	// https://www.rfc-editor.org/rfc/rfc9001#section-5.4.1
+	//
+	// This function takes a sample of the packet ciphertext
+	// and returns a 5-byte mask which will be applied to the
+	// protected portions of the packet header.
+	headerProtection func(sample []byte) (mask [5]byte)
+
+	// IV used to construct the AEAD nonce.
+	iv []byte
+}
+
+// newKeys creates keys for a given cipher suite and secret.
+//
+// It returns an error if the suite is unknown.
+func newKeys(suite uint16, secret []byte) (keys, error) {
+	switch suite {
+	case tls.TLS_AES_128_GCM_SHA256:
+		return newAESKeys(secret, crypto.SHA256, 128/8), nil
+	case tls.TLS_AES_256_GCM_SHA384:
+		return newAESKeys(secret, crypto.SHA384, 256/8), nil
+	case tls.TLS_CHACHA20_POLY1305_SHA256:
+		return newChaCha20Keys(secret), nil
+	}
+	return keys{}, fmt.Errorf("unknown cipher suite %x", suite)
+}
+
+func newAESKeys(secret []byte, h crypto.Hash, keyBytes int) keys {
+	// https://www.rfc-editor.org/rfc/rfc9001#section-5.1
+	key := hkdfExpandLabel(h.New, secret, "quic key", nil, keyBytes)
+	c, err := aes.NewCipher(key)
+	if err != nil {
+		panic(err)
+	}
+	aead, err := cipher.NewGCM(c)
+	if err != nil {
+		panic(err)
+	}
+	iv := hkdfExpandLabel(h.New, secret, "quic iv", nil, aead.NonceSize())
+	// https://www.rfc-editor.org/rfc/rfc9001#section-5.4.3
+	hpKey := hkdfExpandLabel(h.New, secret, "quic hp", nil, keyBytes)
+	hp, err := aes.NewCipher(hpKey)
+	if err != nil {
+		panic(err)
+	}
+	var scratch [aes.BlockSize]byte
+	headerProtection := func(sample []byte) (mask [5]byte) {
+		hp.Encrypt(scratch[:], sample)
+		copy(mask[:], scratch[:])
+		return mask
+	}
+	return keys{
+		aead:             aead,
+		iv:               iv,
+		headerProtection: headerProtection,
+	}
+}
+
+func newChaCha20Keys(secret []byte) keys {
+	// https://www.rfc-editor.org/rfc/rfc9001#section-5.1
+	key := hkdfExpandLabel(sha256.New, secret, "quic key", nil, chacha20poly1305.KeySize)
+	aead, err := chacha20poly1305.New(key)
+	if err != nil {
+		panic(err)
+	}
+	iv := hkdfExpandLabel(sha256.New, secret, "quic iv", nil, aead.NonceSize())
+	// https://www.rfc-editor.org/rfc/rfc9001#section-5.4.4
+	hpKey := hkdfExpandLabel(sha256.New, secret, "quic hp", nil, chacha20.KeySize)
+	headerProtection := func(sample []byte) [5]byte {
+		counter := uint32(sample[3])<<24 | uint32(sample[2])<<16 | uint32(sample[1])<<8 | uint32(sample[0])
+		nonce := sample[4:16]
+		c, err := chacha20.NewUnauthenticatedCipher(hpKey, nonce)
+		if err != nil {
+			panic(err)
+		}
+		c.SetCounter(counter)
+		var mask [5]byte
+		c.XORKeyStream(mask[:], mask[:])
+		return mask
+	}
+	return keys{
+		aead:             aead,
+		iv:               iv,
+		headerProtection: headerProtection,
+	}
+}
+
+// https://www.rfc-editor.org/rfc/rfc9001#section-5.2-2
+var initialSalt = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
+
+// initialKeys returns the keys used to protect Initial packets.
+//
+// The Initial packet keys are derived from the Destination Connection ID
+// field in the client's first Initial packet.
+//
+// https://www.rfc-editor.org/rfc/rfc9001#section-5.2
+func initialKeys(cid []byte) (clientKeys, serverKeys keys) {
+	initialSecret := hkdf.Extract(sha256.New, cid, initialSalt)
+	clientInitialSecret := hkdfExpandLabel(sha256.New, initialSecret, "client in", nil, sha256.Size)
+	clientKeys, err := newKeys(tls.TLS_AES_128_GCM_SHA256, clientInitialSecret)
+	if err != nil {
+		panic(err)
+	}
+
+	serverInitialSecret := hkdfExpandLabel(sha256.New, initialSecret, "server in", nil, sha256.Size)
+	serverKeys, err = newKeys(tls.TLS_AES_128_GCM_SHA256, serverInitialSecret)
+	if err != nil {
+		panic(err)
+	}
+
+	return clientKeys, serverKeys
+}
+
+const headerProtectionSampleSize = 16
+
+// aeadOverhead is the difference in size between the AEAD output and input.
+// All cipher suites defined for use with QUIC have 16 bytes of overhead.
+const aeadOverhead = 16
+
+// xorIV xors the packet protection IV with the packet number.
+func (k keys) xorIV(pnum packetNumber) {
+	k.iv[len(k.iv)-8] ^= uint8(pnum >> 56)
+	k.iv[len(k.iv)-7] ^= uint8(pnum >> 48)
+	k.iv[len(k.iv)-6] ^= uint8(pnum >> 40)
+	k.iv[len(k.iv)-5] ^= uint8(pnum >> 32)
+	k.iv[len(k.iv)-4] ^= uint8(pnum >> 24)
+	k.iv[len(k.iv)-3] ^= uint8(pnum >> 16)
+	k.iv[len(k.iv)-2] ^= uint8(pnum >> 8)
+	k.iv[len(k.iv)-1] ^= uint8(pnum)
+}
+
+// initialized returns true if valid keys are available.
+func (k keys) initialized() bool {
+	return k.aead != nil
+}
+
+// discard discards the keys (in the sense that we won't use them any more,
+// not that the keys are securely erased).
+//
+// https://www.rfc-editor.org/rfc/rfc9001.html#section-4.9
+func (k *keys) discard() {
+	*k = keys{}
+}
+
+// protect applies packet protection to a packet.
+//
+// On input, hdr contains the packet header, pay the unencrypted payload,
+// pnumOff the offset of the packet number in the header, and pnum the untruncated
+// packet number.
+//
+// protect returns the result of appending the encrypted payload to hdr and
+// applying header protection.
+func (k keys) protect(hdr, pay []byte, pnumOff int, pnum packetNumber) []byte {
+	k.xorIV(pnum)
+	hdr = k.aead.Seal(hdr, k.iv, pay, hdr)
+	k.xorIV(pnum)
+
+	// Apply header protection.
+	pnumSize := int(hdr[0]&0x03) + 1
+	sample := hdr[pnumOff+4:][:headerProtectionSampleSize]
+	mask := k.headerProtection(sample)
+	if isLongHeader(hdr[0]) {
+		hdr[0] ^= mask[0] & 0x0f
+	} else {
+		hdr[0] ^= mask[0] & 0x1f
+	}
+	for i := 0; i < pnumSize; i++ {
+		hdr[pnumOff+i] ^= mask[1+i]
+	}
+
+	return hdr
+}
+
+// unprotect removes packet protection from a packet.
+//
+// On input, pkt contains the full protected packet, pnumOff the offset of
+// the packet number in the header, and pnumMax the largest packet number
+// seen in the number space of this packet.
+//
+// unprotect removes header protection from the header in pkt, and returns
+// the unprotected payload and packet number.
+func (k keys) unprotect(pkt []byte, pnumOff int, pnumMax packetNumber) (pay []byte, num packetNumber, err error) {
+	if len(pkt) < pnumOff+4+headerProtectionSampleSize {
+		fmt.Println("too short")
+		return nil, 0, errInvalidPacket
+	}
+	numpay := pkt[pnumOff:]
+	sample := numpay[4:][:headerProtectionSampleSize]
+	mask := k.headerProtection(sample)
+	if isLongHeader(pkt[0]) {
+		pkt[0] ^= mask[0] & 0x0f
+	} else {
+		pkt[0] ^= mask[0] & 0x1f
+	}
+	pnumLen := int(pkt[0]&0x03) + 1
+	pnum := packetNumber(0)
+	for i := 0; i < pnumLen; i++ {
+		numpay[i] ^= mask[1+i]
+		pnum = (pnum << 8) | packetNumber(numpay[i])
+	}
+	pnum = decodePacketNumber(pnumMax, pnum, pnumLen)
+
+	hdr := pkt[:pnumOff+pnumLen]
+	pay = numpay[pnumLen:]
+	k.xorIV(pnum)
+	pay, err = k.aead.Open(pay[:0], k.iv, pay, hdr)
+	k.xorIV(pnum)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return pay, pnum, nil
+}
+
+// hdkfExpandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1.
+//
+// Copied from crypto/tls/key_schedule.go.
+func hkdfExpandLabel(hash func() hash.Hash, secret []byte, label string, context []byte, length int) []byte {
+	var hkdfLabel cryptobyte.Builder
+	hkdfLabel.AddUint16(uint16(length))
+	hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
+		b.AddBytes([]byte("tls13 "))
+		b.AddBytes([]byte(label))
+	})
+	hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
+		b.AddBytes(context)
+	})
+	out := make([]byte, length)
+	n, err := hkdf.Expand(hash, secret, hkdfLabel.BytesOrPanic()).Read(out)
+	if err != nil || n != length {
+		panic("quic: HKDF-Expand-Label invocation failed unexpectedly")
+	}
+	return out
+}
diff --git a/internal/quic/packet_protection_test.go b/internal/quic/packet_protection_test.go
