20 #include <picotls/openssl.h> 22 #define QUICLY_EPOCH_1RTT 3 40 uint8_t static_iv[PTLS_MAX_IV_SIZE];
44 uint8_t
iv[PTLS_MAX_IV_SIZE];
49 size_t epoch,
int is_enc,
50 ptls_cipher_context_t **header_protect_ctx,
51 ptls_aead_context_t **packet_protect_ctx,
52 ptls_aead_algorithm_t *aead,
53 ptls_hash_algorithm_t *hash,
const void *secret)
55 uint8_t hpkey[PTLS_MAX_SECRET_SIZE];
58 *packet_protect_ctx = NULL;
60 if (header_protect_ctx != NULL)
62 *header_protect_ctx = NULL;
64 ptls_hkdf_expand_label (hash, hpkey, aead->ctr_cipher->key_size,
65 ptls_iovec_init (secret, hash->digest_size),
66 "quic hp", ptls_iovec_init (NULL, 0), NULL);
69 *header_protect_ctx = ptls_cipher_new (aead->ctr_cipher, is_enc, hpkey);
70 if (NULL == *header_protect_ctx)
72 ret = PTLS_ERROR_NO_MEMORY;
79 ptls_aead_new (aead, hash, is_enc, secret, QUICLY_AEAD_BASE_LABEL);
80 if (NULL == *packet_protect_ctx)
82 ret = PTLS_ERROR_NO_MEMORY;
93 if (header_protect_ctx != NULL)
102 if (*packet_protect_ctx != NULL)
104 ptls_aead_free (*packet_protect_ctx);
105 *packet_protect_ctx = NULL;
107 if (header_protect_ctx && *header_protect_ctx != NULL)
109 ptls_cipher_free (*header_protect_ctx);
110 *header_protect_ctx = NULL;
113 ptls_clear_memory (hpkey,
sizeof (hpkey));
119 void *_output,
const void *input,
size_t inlen,
120 uint64_t decrypted_pn,
const void *aad,
134 ctx->
op.
dst = _output;
136 ctx->
op.
len = inlen - ctx->
super.algo->tag_size;
148 ptls_cipher_context_t *header_protection = NULL;
149 ptls_aead_context_t *aead = NULL;
153 if (QUICLY_PACKET_IS_LONG_HEADER (pctx->
packet.octets.base[0]))
156 uint64_t next_expected_packet_number =
157 quicly_get_next_expected_packet_number (qctx->
conn);
158 if (next_expected_packet_number == UINT64_MAX)
164 if (!aead || !header_protection)
167 size_t encrypted_len = pctx->
packet.octets.len - pctx->
packet.encrypted_off;
168 uint8_t hpmask[5] = { 0 };
170 size_t pnlen, ptlen,
i;
173 if (encrypted_len < header_protection->algo->iv_size + QUICLY_MAX_PN_SIZE)
175 ptls_cipher_init (header_protection,
178 ptls_cipher_encrypt (header_protection, hpmask, hpmask,
sizeof (hpmask));
179 pctx->
packet.octets.base[0] ^=
180 hpmask[0] & (QUICLY_PACKET_IS_LONG_HEADER (pctx->
packet.octets.base[0]) ?
182 pnlen = (pctx->
packet.octets.base[0] & 0x3) + 1;
183 for (i = 0; i != pnlen; ++
i)
188 (pnbits << 8) | pctx->
packet.octets.base[pctx->
packet.encrypted_off +
192 size_t aead_off = pctx->
packet.encrypted_off + pnlen;
195 quicly_determine_packet_number (pnbits, pnlen * 8,
196 next_expected_packet_number);
199 (pctx->
packet.octets.base[0] & QUICLY_KEY_PHASE_BIT) != 0;
203 pctx->
packet.octets.base[0] ^=
205 (QUICLY_PACKET_IS_LONG_HEADER (pctx->
packet.octets.base[0]) ? 0xf :
207 for (i = 0; i != pnlen; ++
i)
216 qctx, aead, pctx->
packet.octets.base + aead_off,
217 pctx->
packet.octets.base + aead_off,
218 pctx->
packet.octets.len - aead_off, pn, pctx->
packet.octets.base,
219 aead_off)) == SIZE_MAX)
222 "%s: aead decryption failure (pn: %d)\n", __FUNCTION__, pn);
226 pctx->
packet.encrypted_off = aead_off;
227 pctx->
packet.octets.len = ptlen + aead_off;
229 pctx->
packet.decrypted.pn = pn;
236 ptls_cipher_context_t *header_protect_ctx,
237 ptls_aead_context_t *packet_protect_ctx,
238 ptls_iovec_t datagram,
size_t first_byte_at,
239 size_t payload_from, uint64_t packet_number,
249 void *input = datagram.base + payload_from;
250 void *output = input;
252 datagram.len - payload_from - packet_protect_ctx->algo->tag_size;
253 const void *aad = datagram.base + first_byte_at;
254 size_t aadlen = payload_from - first_byte_at;
260 aead_ctx->
op.
iv = aead_ctx->
iv;
261 ptls_aead__build_iv (aead_ctx->
super.algo, aead_ctx->
op.
iv,
264 aead_ctx->
op.
src = (
u8 *) input;
265 aead_ctx->
op.
dst = output;
266 aead_ctx->
op.
len = inlen;
273 ptls_aead_supplementary_encryption_t supp = {
274 .ctx = header_protect_ctx,
276 datagram.base + payload_from - QUICLY_SEND_PN_SIZE + QUICLY_MAX_PN_SIZE
281 memset (supp.output, 0, sizeof (supp.output));
282 hp_ctx->
op.
iv = (
u8 *) supp.input;
284 hp_ctx->
op.
src = (
u8 *) supp.output;
285 hp_ctx->
op.
dst = (
u8 *) supp.output;
286 hp_ctx->
op.
len = sizeof (supp.output);
290 datagram.base[first_byte_at] ^=
292 (QUICLY_PACKET_IS_LONG_HEADER (datagram.base[first_byte_at]) ? 0xf : 0x1f);
293 for (
size_t i = 0;
i != QUICLY_SEND_PN_SIZE; ++
i)
294 datagram.base[payload_from +
i - QUICLY_SEND_PN_SIZE] ^=
300 const void *
key,
const EVP_CIPHER *cipher)
306 if (!strcmp (ctx->
super.algo->name,
"AES128-CTR"))
308 algo = VNET_CRYPTO_ALG_AES_128_CTR;
309 ctx->
id = is_enc ? VNET_CRYPTO_OP_AES_128_CTR_ENC :
310 VNET_CRYPTO_OP_AES_128_CTR_DEC;
311 ptls_openssl_aes128ctr.setup_crypto (_ctx, is_enc, key);
313 else if (!strcmp (ctx->
super.algo->name,
"AES256-CTR"))
315 algo = VNET_CRYPTO_ALG_AES_256_CTR;
316 ctx->
id = is_enc ? VNET_CRYPTO_OP_AES_256_CTR_ENC :
317 VNET_CRYPTO_OP_AES_256_CTR_DEC;
318 ptls_openssl_aes256ctr.setup_crypto (_ctx, is_enc, key);
322 QUIC_DBG (1,
"%s, Invalid crypto cipher : ", __FUNCTION__,
354 const void *
key,
const void *
iv,
355 const EVP_CIPHER *cipher)
361 if (!strcmp (ctx->
super.algo->name,
"AES128-GCM"))
363 algo = VNET_CRYPTO_ALG_AES_128_GCM;
364 ctx->
id = is_enc ? VNET_CRYPTO_OP_AES_128_GCM_ENC :
365 VNET_CRYPTO_OP_AES_128_GCM_DEC;
366 ptls_openssl_aes128gcm.setup_crypto (_ctx, is_enc, key, iv);
368 else if (!strcmp (ctx->
super.algo->name,
"AES256-GCM"))
370 algo = VNET_CRYPTO_ALG_AES_256_GCM;
371 ctx->
id = is_enc ? VNET_CRYPTO_OP_AES_256_GCM_ENC :
372 VNET_CRYPTO_OP_AES_256_GCM_DEC;
373 ptls_openssl_aes256gcm.setup_crypto (_ctx, is_enc, key, iv);
377 QUIC_DBG (1,
"%s, invalied aead cipher %s", __FUNCTION__,
388 (
u8 *) key, _ctx->algo->key_size);
397 const void *
key,
const void *
iv)
405 const void *
key,
const void *
iv)
413 int is_encrypt, ptls_buffer_t *
dst, ptls_iovec_t
src)
424 return PTLS_ERROR_NO_MEMORY;
426 ptls_get_context (tls)->random_bytes (self->id, sizeof (self->id));
428 self->data.len = src.len;
431 if ((ret = ptls_buffer_reserve (dst,
sizeof (self->id))) != 0)
433 clib_memcpy (dst->base + dst->off, self->id, sizeof (self->id));
434 dst->off +=
sizeof (
self->id);
439 if (src.len != sizeof (self->id))
440 return PTLS_ERROR_SESSION_NOT_FOUND;
441 if (
clib_memcmp (self->id, src.base, sizeof (self->id)) != 0)
442 return PTLS_ERROR_SESSION_NOT_FOUND;
445 if ((ret = ptls_buffer_reserve (dst, self->data.len)) != 0)
447 clib_memcpy (dst->base + dst->off, self->data.base, self->data.len);
448 dst->off +=
self->data.len;
454 ptls_cipher_algorithm_t quic_crypto_aes128ctr = {
456 PTLS_AES128_KEY_SIZE,
460 quic_crypto_aes128ctr_setup_crypto
463 ptls_cipher_algorithm_t quic_crypto_aes256ctr = {
465 PTLS_AES256_KEY_SIZE,
469 quic_crypto_aes256ctr_setup_crypto
472 ptls_aead_algorithm_t quic_crypto_aes128gcm = {
474 PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
475 PTLS_AESGCM_INTEGRITY_LIMIT,
477 &ptls_openssl_aes128ecb,
478 PTLS_AES128_KEY_SIZE,
480 PTLS_AESGCM_TAG_SIZE,
482 quic_crypto_aead_aes128gcm_setup_crypto
485 ptls_aead_algorithm_t quic_crypto_aes256gcm = {
487 PTLS_AESGCM_CONFIDENTIALITY_LIMIT,
488 PTLS_AESGCM_INTEGRITY_LIMIT,
490 &ptls_openssl_aes256ecb,
491 PTLS_AES256_KEY_SIZE,
493 PTLS_AESGCM_TAG_SIZE,
495 quic_crypto_aead_aes256gcm_setup_crypto
498 ptls_cipher_suite_t quic_crypto_aes128gcmsha256 = {
499 PTLS_CIPHER_SUITE_AES_128_GCM_SHA256,
503 ptls_cipher_suite_t quic_crypto_aes256gcmsha384 = {
504 PTLS_CIPHER_SUITE_AES_256_GCM_SHA384,
508 ptls_cipher_suite_t *quic_crypto_cipher_suites[] = {
513 quic_crypto_encrypt_packet };
u32 vnet_crypto_process_ops(vlib_main_t *vm, vnet_crypto_op_t ops[], u32 n_ops)
ptls_cipher_context_t super
uint8_t static_iv[PTLS_MAX_IV_SIZE]
static void clib_rwlock_writer_lock(clib_rwlock_t *p)
ptls_cipher_context_t * hp_ctx
static int quic_crypto_aead_aes128gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
static int quic_crypto_aead_aes256gcm_setup_crypto(ptls_aead_context_t *ctx, int is_enc, const void *key, const void *iv)
#define QUIC_DBG(_lvl, _fmt, _args...)
#define clib_memcpy(d, s, n)
clib_rwlock_t crypto_keys_quic_rw_lock
static int quic_crypto_setup_cipher(quicly_crypto_engine_t *engine, quicly_conn_t *conn, size_t epoch, int is_enc, ptls_cipher_context_t **header_protect_ctx, ptls_aead_context_t **packet_protect_ctx, ptls_aead_algorithm_t *aead, ptls_hash_algorithm_t *hash, const void *secret)
static_always_inline void vnet_crypto_op_init(vnet_crypto_op_t *op, vnet_crypto_op_id_t type)
ptls_cipher_algorithm_t quic_crypto_aes128ctr
void quic_crypto_encrypt_packet(struct st_quicly_crypto_engine_t *engine, quicly_conn_t *conn, ptls_cipher_context_t *header_protect_ctx, ptls_aead_context_t *packet_protect_ctx, ptls_iovec_t datagram, size_t first_byte_at, size_t payload_from, uint64_t packet_number, int coalesced)
struct quic_ctx_::@771 ingress_keys
u32 vnet_crypto_key_add(vlib_main_t *vm, vnet_crypto_alg_t alg, u8 *data, u16 length)
static int quic_crypto_cipher_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key, const EVP_CIPHER *cipher)
static int quic_crypto_aes128ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
ptls_cipher_suite_t quic_crypto_aes256gcmsha384
uint8_t iv[PTLS_MAX_IV_SIZE]
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
static void clib_rwlock_writer_unlock(clib_rwlock_t *p)
quicly_conn_t * conn
QUIC ctx case.
#define clib_memcmp(s1, s2, m1)
sll srl srl sll sra u16x4 i
void quic_crypto_decrypt_packet(quic_ctx_t *qctx, quic_rx_packet_ctx_t *pctx)
static int quic_crypto_aes256ctr_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void *key)
ptls_cipher_suite_t quic_crypto_aes128gcmsha256
static void clib_mem_free(void *p)
#define QUICLY_EPOCH_1RTT
static int quic_crypto_aead_setup_crypto(ptls_aead_context_t *_ctx, int is_enc, const void *key, const void *iv, const EVP_CIPHER *cipher)
static void * clib_mem_alloc(uword size)
static size_t quic_crypto_aead_decrypt(quic_ctx_t *qctx, ptls_aead_context_t *_ctx, void *_output, const void *input, size_t inlen, uint64_t decrypted_pn, const void *aad, size_t aadlen)
static vlib_main_t * vlib_get_main(void)
ptls_cipher_algorithm_t quic_crypto_aes256ctr
ptls_aead_context_t * aead_ctx
quicly_decoded_packet_t packet
ptls_aead_algorithm_t quic_crypto_aes256gcm
ptls_aead_context_t super
vnet_crypto_op_status_t status
int quic_encrypt_ticket_cb(ptls_encrypt_ticket_t *_self, ptls_t *tls, int is_encrypt, ptls_buffer_t *dst, ptls_iovec_t src)
vnet_crypto_main_t crypto_main
ptls_aead_algorithm_t quic_crypto_aes128gcm
quic_ctx_t * quic_get_conn_ctx(quicly_conn_t *conn)